Yale  University 

Department  of  Computer  Science 

Security  Analysis  of  Accountable  Anonymous  Group 
Communication  in  Dissent 

Ewa  Syta  Aaron  Johnson  Henry  Corrigan-Gibbs 
Shu-Chun  Weng  David  Wolinsky  Bryan  Ford 


YALEU/DCS/TR-1472 
January  31,  2013 


Report  Documentation  Page 


Form  Approved 
0MB  No.  0704-0188 


Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 
VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  0MB  control  number. 


1.  REPORT  DATE 

31  JAN  2013 


2.  REPORT  TYPE 


4.  TITLE  AND  SUBTITLE 

Security  Analysis  of  Accountable  Anonymous  Group  Communication  in 
Dissent 

6.  AUTHOR(S) 


7.  PEREORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Yale  University, Department  of  Computer  Science, New  Ha ven,CT, 06520 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 


3.  DATES  COVERED 

00-00-2013  to  00-00-2013 

5a.  CONTRACT  NUMBER 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

8.  PERFORMING  ORGANIZATION 
REPORT  NUMBER 


10.  SPONSOR/MONITOR’S  ACRONYM(S) 

11.  SPONSOR/MONITOR’S  REPORT 
NUMBER(S) 


12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

14.  ABSTRACT 

Users  often  wish  to  communicate  anonymously  on  the  Internet  using,  for  instance,  group  discussion  forums 
or  instant  messaging.  Misbehaving  users  may  abuse  this  anonymity  to  disrupt  communication,  however, 
and  existing  solutions  do  not  adequately  address  this  risk.  Messaging  protocols  such  as  DC-nets  leave 
groups  vulnerable  to  denial-of-service  and  Sybil  attacks,  mixnets  are  difficult  to  protect  against  traffic 
analysis,  and  accountable  voting  protocols  are  unsuited  to  general  anonymous  messaging.  DISSENT, 
originally  introduced  by  Corrigan-Gibbs  and  Ford  (2010),  is  the  first  general  communication  protocol  that 
offers  provable  anonymity,  integrity  and  accountability  for  moderatesize  groups,  and  efficiently  handles 
unbalanced  loads  where  few  members  wish  to  transmit  in  a  given  round.  We  provide  a  full  description  of 
an  improved  DISSENT  protocol,  define  its  precise  security  properties,  and  give  rigorous  proofs  of  these 
properties.  Our  improved  protocol  is  a  direct  result  of  this  security  analysis,  which  identified  several 
non-trivial  attacks  on  the  original  protocol  stemming  from  subtle  design  flaws. 

15.  SUBJECT  TERMS 


16.  SECURITY  CLASSIFICATION  OF: 

17.  LIMITATION  OF 

18.  NUMBER 

19a.  NAME  OE 

ABSTRACT 

OF  PAGES 

RESPONSIBLE  PERSON 

a.  REPORT 

unclassified 

b.  ABSTRACT 

unclassified 

c.  THIS  PAGE 

unclassified 

Same  as 
Report  (SAR) 

69 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


Abstract 


Users  often  wish  to  communicate  anonymously  on  the  Internet  using,  for  instance,  group 
discussion  forums  or  instant  messaging.  Misbehaving  users  may  abuse  this  anonymity  to  disrupt 
communication,  however,  and  existing  solutions  do  not  adequately  address  this  risk.  Messaging 
protocols  such  as  DC-nets  leave  groups  vulnerable  to  denial-of-service  and  Sybil  attacks,  mix- 
nets  are  difficult  to  protect  against  traffic  analysis,  and  accountable  voting  protocols  are  unsuited 
to  general  anonymous  messaging. 

DISSENT,  originally  introduced  by  Corrigan-Gibbs  and  Ford  (2010),  is  the  first  general  com¬ 
munication  protocol  that  offers  provable  anonymity,  integrity  and  accountability  for  moderate- 
size  groups,  and  efficiently  handles  unbalanced  loads  where  few  members  wish  to  transmit  in  a 
given  round.  We  provide  a  full  description  of  an  improved  DISSENT  protocol,  define  its  precise 
security  properties,  and  give  rigorous  proofs  of  these  properties.  Our  improved  protocol  is  a 
direct  result  of  this  security  analysis,  which  identified  several  non-trivial  attacks  on  the  original 
protocol  stemming  from  subtle  design  flaws. 


1 


Security  Analysis  of  Accountable  Anonymous  Group 
Communication  in  Dissent* 

Ewa  Syta^  Aaron  Johnson^  Henry  Corrigan-Gibbs^  Shu-Chun  Weng^ 

David  Wolinskyi  Bryan  Ford^ 


1  Introduction 

Anonymous  participation  is  often  considered  a  basic  right  in  free  societies  (Yale  Law  Journal  1961). 
The  limited  form  of  anonymity  the  Internet  provides  is  a  widely  cherished  feature  (Teich,  Frankel, 
Kling,  and  Lee  1999;  Wallace  1999),  enabling  people  and  groups  with  controversial  or  unpopular 
views  to  communicate  and  organize  without  fear  of  personal  reprisal  (Stein  2003).  Yet  anonymity 
makes  it  difficult  to  trace  or  exclude  misbehaving  participants  (Davenport  2002).  Online  proto¬ 
cols  providing  stronger  anonymity,  such  as  mix- networks  (Chaum  1981;  Adida  2006),  onion  rout¬ 
ing  (Goldschlag,  Reed,  and  Syverson  1999;  Dingledine,  Mathewson,  and  Syverson  2004),  and  Din¬ 
ing  Cryptographers  Networks  or  DC-nets  (Chaum  1988;  Waidner  and  Pfitzmann  1989;  Sirer  et  al. 
2004;  Golle  and  fuels  2004),  further  weaken  accountability,  yielding  forums  in  which  no  content 
may  be  considered  trustworthy  and  no  reliable  defense  is  available  against  anonymous  misbehavior. 

DISSENT  (Dining-cryptographers  Shuffied-Send  Network)  is  a  communication  protocol  that 
provides  strong  integrity,  accountability  and  anonymity.  Members  of  small,  private  online  groups, 
whose  membership  is  closed  and  known  to  its  members,  are  able  to  send  anonymous  messages  to 
each  other,  to  the  whole  group,  or  to  a  non-member,  in  that  the  receiver  knows  that  some  member 
sent  the  message,  but  no  one  knows  which  member.  DISSENT  holds  members  accountable,  not  by 
compromising  their  anonymity  but  rather  by  ensuring  that  communication  resources  are  allocated 
among  all  communicating  members,  and  that  any  disruption  results  in  the  identification  of  some 
malicious  member  during  a  “blame”  process.  Members  are  thus  unable  to  corrupt  or  block  other 
members’  messages,  overrun  the  group  with  spam,  stuff  ballots,  or  create  unlimited  anonymous 
Sybil  identities  (Douceur  2002)  or  sock  puppets  (Stone  and  Richtel  2007)  with  which  to  bias  or 
subvert  the  group’s  deliberations. 

DISSENT  builds  on  the  shuffle  of  Brickell  and  Shmatikov  (2006a),  combining  that  with  DC-net 
techniques  for  efficient  bulk  communication.  It  uses  only  readily  available  cryptographic  primi¬ 
tives  and  handles  arbitrarily  large  messages  and  unbalanced  loads  efficiently.  Each  member  sends 

*The  work  of  Ewa  Syta,  Henry  Corrigan-Gibbs,  Shu-Chun  Weng,  David  Wolinsky,  and  Bryan  Ford  (email: 
ewa.syta@yale.edu)  was  supported  by  the  Defense  Advanced  Research  Projects  Agency  (DARPA)  and  SPAWAR  Sys¬ 
tems  Center  Pacific,  Contract  No.  N66001-1  l-C-4018.  Aaron  Johnson  (email:  aaron.m.johnson@nrl.navy.mil)  was 
supported  hy  DARPA.  Any  opinions,  findings  and  conclusions  or  recommendations  expressed  in  this  material  are  those 
of  the  author(s)  and  do  not  necessarily  reflect  the  views  of  DARPA  or  SPAWAR. 

^Department  of  Computer  Science,  Yale  University,  CT 

*U.S.  Naval  Research  Lahoratory 


2 


exactly  one  message  per  round,  making  it  usable  for  voting  or  assigning  pseudonyms  with  a  1-to- 

1  eorrespondenee  to  real  group  members.  DISSENT  has  limitations,  of  eourse.  It  is  not  intended 
for  large-seale,  “open-aeeess”  anonymous  messaging  or  file  sharing  (Goldsehlag,  Reed,  and  Syver- 
son  1999;  Clarke,  Sandberg,  Wiley,  and  Hong  2000).  dissent’s  aeeountability  property  assumes 
elosed  groups,  and  may  be  ineffeetive  if  a  malieious  member  can  leave  and  rejoin  the  group  under 
a  new  (public)  identity.  Finally,  dissent’s  serialized  GMP-SHUFFLE  protocol  imposes  a  per-round 
startup  delay  that  makes  DISSENT  impractical  for  latency-sensitive  applications.  Further  discussion 
on  related  anonymous  communication  systems  is  included  in  Section  6. 

DISSENT  was  first  introduced  by  Corrigan-Gibbs  and  Ford  (2010).  In  addition  to  sketching  the 
protocol  and  security  arguments,  they  describe  practical  usage  considerations  and  give  the  results  of 
several  performance  experiments  based  on  a  prototype  implementation.  We  focus  here  on  a  detailed 
exposition  of  DISSENT  and  a  rigorous  analysis  of  its  security  properties. 

Indeed,  during  our  analysis  of  the  original  protocol,  we  identified  several  affacks.  For  example, 
anonymify  could  be  broken  by  replaying  profocol  inpufs  in  subsequenf  rounds,  by  providing  af 
cerfain  poinfs  incorrecf  cipherfexls  fo  some  members  and  correcf  ones  fo  fhe  resf,  or  by  copying 
cipherfexls  af  ofher  poinfs.  Accounfabilify  for  disrupfion  could  be  avoided  by  copying  fhe  profocol 
inpufs  from  honesf  members,  and  honesf  members  could  pofenfially  be  falsely  accused  of  disrupfion 
by  rearranging  valid  signed  messages  fo  creafe  phony  logs.  Profocol  ferminafion  could  be  prevenfed 
for  some  members  by  causing  failures  for  fhem  while  allowing  fhe  resf  fo  ferminafe  successfully 
and  fhus  nol  parficipafe  in  a  blame  process.  See  fhe  appendix  more  defails  of  fhese  attacks. 

In  order  fo  fix  fhese  flaws,  we  made  several  non-frivial  modificalions  fo  fhe  original  profo- 
col.  To  prevenf  replay  attacks  we  added  key  generafion  sfeps.  To  prevenf  equivocafion  attacks  we 
added  rebroadcasf  sfeps,  and  have  members  infenfionally  cause  infermediafe  profocol  failures  when 
equivocation  is  observed.  We  add  fhe  use  of  non-malleable  commitments  to  prevent  submission 
duplication,  and  we  add  phase  numbers  to  prevent  log  forgery.  Finally,  to  prevent  non -termination 
of  the  protocol,  we  make  all  steps  non-optional,  in  particular  including  an  opportunity  for  blame  at 
the  end  of  every  execution  to  ensure  accountability. 

We  are  able  to  give  proofs  of  security  for  this  improved  protocol.  In  particular,  we  provide 
rigorous  proofs  of  integrity,  accountability,  and  anonymity.  Obtaining  a  fully  secure  protocol  with 
proofs  required  a  surprising  amount  of  additional  work  given  the  relative  simplicity  and  maturity 
of  the  underlying  ideas.  However,  as  observed  by  Wikstrbm  (2004),  the  complexity  of  anonymous 
communication  protocols  has  frequently  resulted  in  incomplete  proofs  and  subtle  errors  (see  further 
discussion  in  Section  6). 

The  main  contributions  of  this  paper,  therefore,  are  (1)  we  provide  a  full  description  of  an 
improved  DISSENT  protocol,  (2)  we  present  precise  definitions  of  its  security  properties,  and  (3)  we 
give  rigorous  proofs  that  the  protocol  satisfies  fhose  definifions. 

Section  2  ouflines  dissent’s  framework  and  securify  model.  Section  3  describes  fhe  GMP- 
SHUFFLE  protocol,  and  Section  4  defails  fhe  GMP-BULK  Iransfer  profocol.  Secfion  5  provides  formal 
securify  properfies  and  fheir  proofs.  Secfion  6  summarizes  relafed  work,  and  Secfion  7  concludes. 

2  Protocol  Overview 

DISSENT  is  designed  to  be  used  in  a  group  setting.  Each  member  i  of  fhe  group  is  associated  wifh 
a  long  term  public  signing  key  pair  {ui,Vi).  DISSENT  provides  a  shuffled  send  communication 
primifive  fhaf  gives  sender  anonymify  among  fhaf  group.  During  each  profocol  run,  every  group 


3 


member  i  seeretly  ereates  a  message  rrii  and  submits  it  to  the  protoeol.  The  protoeol  effeetively 
eolleets  all  seeret  messages,  shuffles  their  order  aeeording  to  some  random  permutation  vr  that  no 
one  knows,  and  broadeasts  the  resulting  sequenee  of  messages.  Eaeh  input  message  m*  ean  have  a 
different  length  Li. 

We  present  a  messaging  interfaee,  ealled  the  General  Messaging  Protoeol,  that  DISSENT  im¬ 
plements.  DISSENT  in  faet  defines  two  protoeols  implementing  this  interfaee:  the  GMP-SHUFFLE 
protoeol  provides  anonymous  eommunieation  for  fixed-length  messages,  and  the  GMP-BULK  pro¬ 
toeol  builds  on  this  to  provide  effieient  anonymous  eommunieation  of  arbitrary-length  messages. 

2.1  The  General  Messaging  Protocol 

A  Group  Messaging  Protoeol  GMP  is  a  3-tuple  of  algorithms  SETUP(r;i), 

ANONYMIZE(mi,  K,  Hr,  T,  /)  and  VERIFY-PROOF(Pj,  4)- 

SETUP  takes  a  member’s  publie  signing  key  Vi  as  input  and  outputs  one  or  more  session  nonees 
Ur,  a  set  K  of  all  members’  signing  keys,  an  ordering  of  members  r,  and  optionally  a  message 
length  L.  All  group  members  run  the  SETUP  algorithm  before  eaeh  protoeol  run  to  agree  on  common 
parameters.  Such  agreement  might  be  achieved  via  Paxos  (Lamport  1998)  or  BFT  (Castro  and 
Liskov  1999).  We  emphasize  that  SETUP  does  not  generate  members’  signing  keys;  rather,  it  uses 
long  term  signing  keys  submitted  by  each  member. 

ANONYMIZE  takes  a  message  rui,  a  set  K  of  members’  signing  keys,  one  or  more  round  nonces 
Ur,  an  ordering  of  members  r,  and  optionally  a  flag  /  as  input,  and  outputs  either  (SUCCESS,  M^), 
where  is  a  set  of  messages,  or  (failure,  BLAMEj,  £*),  where  BLAMEj  is  a  set  of  observed 
misbehaviors,  and  £i  is  a  log  of  a  protocol  run.  After  agreeing  on  common  parameters,  the  group 
runs  the  ANONYMIZE  algorithm.  The  goal  of  the  algorithm  is  to  anonymously  broadcast  the  set  of 
messages  submitted  by  group  members.  If  a  protocol  run  succeeds  for  a  member,  then  she  outputs 
the  anonymized  messages.  Otherwise,  the  protocol  run  fails  and  the  group  member  produces  a  set 
of  blame  proof(s)  for  the  member  misbehavior(s)  responsible  for  the  protocol  run  failure. 

VERIFY- PROOF  takes  a  proof  pj  of  member  j’s  misbehavior  and  a  log  ii  as  input,  and  outputs 
either  TRUE  indicating  that  pj  is  indeed  a  proof  of  j’s  misbehavior  given  the  observed  protocol 
history  represented  by  log  ii,  or  FALSE  otherwise.  If  a  run  of  ANONYMIZE  fails  for  member  i,  then 
i  blames  at  least  one  dishonest  member  j  by  producing  a  proof  pj  of  j’s  misbehavior  and  a  log  £i. 
VERIFY-PROOF  is  used  to  verify  that  proof  pj  does  in  fact  indicate  misbehavior  by  j  given  li. 

2.2  The  GMP-Shuffle  Protocol 

The  GMP-SHUFFLE  protocol  enables  the  anonymous  exchange  of  equally  sized  messages.  However, 
it  incurs  extra  communication  if  only  one  member  wishes  to  send,  and  its  decrypt-and-shuffle  phase 
is  inherently  serial.  GMP-SHUFFLE  builds  on  a  data  mining  protocol  by  Brickell  and  Shmatikov  (Brick- 
ell  and  Shmatikov  2006b)  to  broadcast  the  input  set  of  fixed-length  messages,  one  from  each  group 
member,  in  an  unknown  permutation,  providing  cryptographically  strong  anonymity.  Like  many 
anonymous  messaging  protocols,  the  original  data  mining  protocol  was  vulnerable  to  untraceable 
denial-of-service  (DoS)  attacks  by  malicious  group  members.  We  remove  this  vulnerability  by 
adding  go/no-go  and  blame  phases,  which  can  trace  and  hold  accountable  any  group  member  mali¬ 
ciously  disrupting  the  protocol. 

In  the  GMP-SHUFFLE  protocol,  all  members  1, . . . ,  choose  their  secret  messages  mi, . . . ,  mAr 
of  equal  length  L.  Each  member  has  a  long  lived  signing  key  pair  (ui,Vi)  and  knows  the  ordering  of 


4 


the  group  and  a  session  nonee  riR.  For  a  single  run  of  the  protoeol,  eaeh  member  generates  two  key 
pairs,  ealled  inner  and  outer,  and  shares  the  publie  keys  with  the  group.  Eaeh  member  i  iteratively 
enerypts  its  message  nii  using  all  inner  and  then  all  outer  publie  keys.  The  resulting  eiphertext 
messages  are  sent  to  a  group  leader  who  strips  one  layer  of  eneryption  from  eaeh  eiphertext  using 
his  outer  publie  key,  permutes  the  messages,  and  forwards  the  permuted  set  to  the  next  member 
who  repeats  the  proeess.  Removing  all  layers  of  outer  eneryption  yields  a  set  of  inner  eiphertext 
messages  whieh  member  N  broadeasts  to  the  entire  group.  All  members  inspeet  the  set  to  verify 
that  their  inner  eiphertext  is  present.  If  all  members’  messages  are  ineluded  and  every  step  of  the 
protoeol  eompletes  sueeessfully,  eaeh  member  releases  its  inner  private  key  allowing  the  set  of 
permuted  seeret  messages  to  be  reeovered.  If  any  inner  eiphertext  is  missing  or  eorrupted,  however, 
the  inner  keys  are  destroyed  and  the  entire  group  enters  a  blame  phase  to  find  the  eulprit  member(s). 

Seetion  3  details  the  GMP-SHUFFLE  protoeol  and  Seetion  5  demonstrates  its  seeurity. 

2.3  The  GMP-Bulk  Protocol 

The  GMP-BULK  protoeol  uses  ideas  from  DC-nets  (Chaum  1988;  Waidner  and  Pfitzmann  1989; 
Sirer  et  al.  2004;  Golle  and  fuels  2004)  to  anonymously  transmit  variable-length  messages.  In  plaee 
of  the  DoS-prone  slot  reservation  systems  in  prior  DC-nets  sehemes,  however,  DISSENT  leverages 
its  GMP-SHUFFLE  protoeol  to  prearrange  the  DC-nets  transmission  sehedule,  guaranteeing  eaeh 
member  exaetly  one  message  slot  per  round. 

GMP-BULK  uses  the  GMP-SHUFFLE  protoeol  to  broadeast  an  unknown  permutation  of  the  mes¬ 
sage  descriptors  submitted  by  eaeh  member.  Eaeh  deseriptor  di  eontains  the  length  Li  of  member 
i’s  message  rrii,  a  eryptographie  hash  of  m*,  a  veetor  Si  of  seeds  Sij,  where  eaeh  seed  is  enerypted 
with  j’s  session  publie  key  and  assigns  eaeh  member  j  a  pseudorandom  bulk  eiphertext  to  transmit, 
and  a  veetor  Hi  of  hashes  Hij  validating  eaeh  bulk  eiphertext.  The  shuffled  order  of  the  message 
deseriptors  indieates  the  order  in  whieh  the  anonymous  senders  should  transmit  their  seeret  mes¬ 
sages.  Then,  all  group  members  broadeast  bit  streams  based  on  pseudorandom  seeds  ineluded  in 
the  message  deseriptors,  so  that  XORing  all  members’  bit  streams  together  yields  a  permuted  set 
of  all  members’  variable-length  messages.  During  a  member’s  own  transmission  slot,  he  trans¬ 
mits  his  own  message  XOR’d  with  the  messages  he  has  instrueted  all  other  members  to  generate. 
During  another  group  member’s  transmission  slot,  members  broadeast  a  pseudorandom  bit  string 
generated  from  an  enerypted  seed  in  the  slot’s  message  deseriptor.  Cryptographie  hashes  in  the 
message  deseriptors  enable  members  to  verify  the  eorreetness  of  eaeh  others’  bulk  transmissions, 
ensuring  message  integrity  and  DoS  proteetion  throughout.  If  any  group  member  sends  an  invalid 
bit  string,  then  in  a  blame  phase  the  owner  of  that  transmission  slot  uses  GMP-SHUFFLE  to  anony¬ 
mously  broadeast  an  accusation  exposing  the  faulty  group  member.  The  GMP-BULK  protoeol  is 
detailed  in  Seetion  4  and  Seetion  5  proves  its  seeurity. 

2.4  Security  Model 

We  assume  the  adversary  is  polynomial-time  limited.  We  allow  him  to  eontrol  a  eolluding  subset 
of  group  members.  We  define  the  rest  of  the  members  as  honest,  in  that  they  run  the  preseribed 
algorithms,  and  their  internal  states  are  hidden  from  the  adversary.  We  assume  that  eommunieation 
ehannels  exist  between  all  members,  and  that  they  ean  be  observed  by  the  adversary. 

The  seeurity  properties  we  wish  the  protoeol  to  satisfy  are  integrity,  accountability,  and  anonymity, 
as  we  deseribe  below.  Eormal  definitions  of  these  properties  and  their  proofs  are  given  in  Seetion  5. 


5 


•  Integrity:  The  protocol  offers  integrity  if  every  honest  member  for  whom  the  protocol  com¬ 
pletes  successfully  has  the  same  output  and  receives  the  messages  of  all  the  other  honest 
members. 

•  Accountability:  The  protocol  offers  accountability  if  (/)  every  honest  member  for  whom  the 
protocol  failed  obtains  proof  of  some  member’s  misbehavior  valid  under  VERIFY-PROOF,  and 
(//)  the  adversary  cannot  produce  a  valid  proof  of  misbehavior  by  an  honest  member. 

•  Anonymity:  The  protocol  maintains  anonymity  if  the  adversary  can  guess  the  sources  of  the 
messages  from  honest  users  with  probability  no  greater  than  random  guessing. 

We  observe  that  these  properties  do  not  imply  that  DISSENT  completes  for  all  members,  and, 
in  fact,  we  cannot  guarantee  that  the  protocol  terminates  if  a  member  stops  participating  at  some 
point.  However,  the  protocol  execution  is  very  simple:  a  fixed  sequence  of  phases  during  which 
all  members  send  no  message  or  all  send  one  message.  If  a  properly  signed  message  indicating 
the  desired  protocol  run  and  phase  is  received  from  every  member,  the  protocol  proceeds  to  the 
next  round.  Therefore  every  member  knows  when  another  should  send  a  message,  and  thus  gossip 
techniques  such  as  those  used  in  PeerReview  (Haeberlen,  Kouznetsov,  and  Druschel  2007)  can  be 
applied  in  a  wrapper  protocol  to  ensure  liveness.  Moreover,  we  note  that  when  every  member 
follows  the  protocol,  not  only  does  it  complete  but  it  succeeds,  as  will  be  clear  from  the  protocol 
description. 

2.5  Cryptographic  Primitives  and  Security  Assumptions 

DISSENT  makes  use  of  several  cryptographic  tools,  and  its  security  depends  on  certain  assumptions 
about  their  security. 

2.5.1  Hash  functions 

We  use  a  standard  definition  (Stinson  2005)  of  a  collision-resistant  unkeyed  hash  function  and  will 
denote  the  hash  of  message  m  as  HASH{m}.  We  assume  that  the  hash  function  used  is  second- 
preimage  resistant  (Rogaway  and  Shrimpton  2004). 

Definition  1.  A  hash  function  is  second-preimage  resistance  if  it  is  computationally  infeasible  to 
find  any  second  input  which  has  the  same  output  as  any  specified  input,  i.e.  given  x,  to  find  a  second 
pre-image  x'  x  such  that  h{x)  =  h{x'). 

2.5.2  Encryption 

We  use  a  cryptosystem  that  consists  of:  (/)  a  key  generation  algorithm  taking  a  security  parameter 
p  and  producing  a  private/public  key  pair  (x,  y);  (ii)  an  encryption  algorithm  taking  public  key  y, 
plaintext  m,  and  some  random  bits  R,  and  producing  a  ciphertext  c  =  {m}^;  (Hi)  a  deterministic 
decryption  algorithm  taking  private  key  x  and  ciphertext  c,  and  returning  the  plaintext  m.  A  member 
can  save  the  random  bits  R  used  during  encryption.  The  notation  c  =  indicates  iterated 

encryption  via  multiple  keys:  c  =  {. . .  {m}y_^  . . .  }y^ ■  We  omit  R  when  an  encryption’s  random 
inputs  need  not  be  saved. 

We  assume  that  members  can  check  an  arbitrary  (x,  y)  purported  to  be  a  key  pair  to  verify 
that  it  could  have  been  generated  by  the  specified  key  generafion  algorifhm.  We  also  assume  fhaf 


6 


the  underlying  publie-key  eryptosystem  provides  indistinguishable  eiphertexts  against  a  ehosen- 
eiphertext  attaek.  That  is,  the  eryptosystem  is  IND-CCA2  seeure  (Bellare,  Desai,  Pointeheval,  and 
Rogaway  1998). 

Definition  2.  A  cryptosystem  is  IND-CCA2  if,  for  all  probabilistic  polynomial-time  adversaries,  the 
advantage  in  the  distinguishing  game  is  negligible  as  a  function  of  the  security  parameter  p. 

The  distinguishing  game  (Bellare,  Desai,  Pointeheval,  and  Rogaway  1998;  Briekell  and  Shmatikov 
2006a)  is  played  between  an  adversary  A  and  a  ehallenger  C  who  takes  as  input  the  ehallenge  bit  b. 

1.  The  ehallenger  C  uses  p  to  generate  a  key  pair  (x,  y)  and  gives  the  publie  key  y  to  the  adver¬ 
sary  A. 

2.  A  may  enerypt  polynomially  many  messages  m  using  y  and  deerypt  polynomially  many 
arbitrary  eiphertexts  c.  To  deerypt  a  eiphertext  c  =  {m}y,  A  queries  c  to  C,  who  sends  baek 
m  =  {c]x- 

3.  Eventually,  A  ehooses  two  messages  mo  and  mi  and  sends  them  to  C. 

4.  C  eomputes  Cf,  =  {m^jy  and  sends  it  to  A. 

5.  A  may  perform  polynomially  many  eneryptions  of  any  m,  and  polynomially  many  deeryp- 
tions  of  any  eiphertexts  c,  provided  that  c  /  Cb. 

6.  A  outputs  a  guess  b  G  {0, 1}  for  the  value  of  b. 

The  adversary’s  advantage  in  the  distinguishing  game  is  equal  to 


Pr 


A^io)  =  1 


—  Pr 


A^W  =  1 


where  the  probability  is  taken  over  the  randomness  of  the  adversary  and  the  ehallenger. 


2.5.3  Digital  Signatures 

We  use  a  signature  scheme  that  eonsists  of:  (/)  a  key  generation  algorithm  taking  a  seeurity  param¬ 
eter  p  and  produeing  a  private/publie  key  pair  {u,  n);  (ii)  a  signing  algorithm  taking  private  key  u 
and  message  m  to  produee  signature  a  =  SlGu{m};  and  (Hi)  a  deterministie  verifieation  algorithm 
taking  publie  key  v,  message  m,  and  eandidate  signature  a,  and  returning  true  iff  cr  is  a  eorreet  sig¬ 
nature  of  m  using  v’s  assoeiated  private  key  u.  The  notation  {m}siG„  indieates  the  eoneatenation 
of  message  m  with  the  signature  SlG^dm}. 

We  assume  that  the  underlying  digital  signature  seheme  has  a  strong  unforgeability  property. 
That  is,  it  is  EUF-CMA  seeure  (Goldwasser,  Mieali,  and  Rivest  1995). 

Definition  3.  A  digital  signing  scheme  is  EUF-CMA  secure  if,  for  all  probabilistic  polynomial-time 
adversaries,  the  adversary ’s  advantage  in  the  forging  game  is  negligible  as  a  function  of  the  security 
parameter  p. 

The  forging  game  is  played  between  an  adversary  A  and  a  ehallenger  C.  It  is  equivalent  to  a 
standard  EUF-CMA  game. 


7 


1.  The  challenger  C  uses  p  to  generate  a  key  pair  (re,  y)  and  gives  the  public  key  y  to  the  adver¬ 
sary  A. 

2.  A  may  request  signatures  on  polynomially  many  messages.  A  chooses  a  message  m  and 
sends  it  to  C,  who  sends  back  a,  a  signature  on  m  under  y.  A  is  allowed  to  query  C  in  an 
adaptive  fashion. 

3.  Eventually,  A  outputs  a  pair  (m',  a’). 

The  adversary  wins  the  forging  game  if  {w! ,a')  is  a  valid  message-  signature  pair  under  y 
assuming  that  m!  has  never  been  queried  to  the  challenger.  The  adversary’s  advantage  is  simply  the 
probability  of  winning  the  forging  game,  where  the  probability  is  taken  over  the  randomness  of  the 
adversary  and  the  challenger. 


2.5.4  Pseudo-random  Number  Generator 


We  use  a  standard  definition  (Stinson  2005)  of  a  pseudorandom  number  generator  (PRNG).  Let 
g{s)  be  a  pseudo-random  number  generator,  where  s  is  a  seed.  We  will  denote  the  first  L  bits 
generated  from  g{s)  as  prng{L,  s}. 

Definition  4.  A  function  g  :  {0,  — )■  {0,  ^  pseudorandom  number  generator  if,  for 

all  probabilistic  polynomial-time  adversaries,  the  adversary ’s  advantage  in  the  pseudorandomness 
game  is  negligible  as  a  function  of  the  security  parameter  p. 

The  pseudorandomness  game  is  played  between  an  adversary  A  and  a  challenger  C{h). 

1.  If  6  =  0,  C  chooses  s  G  {0,  uniformly  at  random  and  sets  r  =  g{s).  If  6  =  1,  C 

chooses  r  G  {0,  uniformly  at  random. 

2.  C  sends  r  to  A. 

3.  A  outputs  a  guess  b  G  {0, 1}  for  the  value  of  b. 

The  adversary’s  advantage  in  the  pseudorandomness  game  is 


Pr 


ACio)  =  1 


Pr 


.4^(1)  =  1 


where  the  probability  is  taken  over  the  randomness  of  the  adversary  and  the  challenger. 


2.5.5  Non-malleable  Commitments 

We  use  the  definition  by  Dolev,  Dwork,  and  Naor  (2000)  of  a  non-malleable  commitment.  The 
notation  x  =  COMMIt{c}  indicates  that  x  is  a  commitment  to  c,  and  the  notation  c  =  OPEn{x} 
indicates  that  c  is  the  opening  of  the  commitment  x. 


3  GMP-Shuffle 


3.1  Protocol  Description 

The  Group  Messaging  Protoeol-Shuffle  GMP-SHUFFLE  is  an  instantiation  of  the  Group  Messaging 
Protoeol  and  eonsists  of  three  algorithms:  SETUP-S,  ANONYMIZE-S,  and  VERIFY-PROOF-S.  Before 
eaeh  protoeol  run,  all  members  run  the  SETUP-S  algorithm  to  agree  on  the  eommon  parameters 
needed  for  eaeh  run.  One  parameter  thus  determined  is  the  fixed  message  length  L.  Eaeh  member 
i  pads  or  trims  input  message  to  length  L.  All  members  use  the  remaining  parameters  K,  ur, 
and  r  as  inputs  to  ANONYMiZE-S.  This  algorithm  also  takes  a  fail  flag  /  whieh  is  always  set  to 
FALSE  when  the  algorithm  is  run  as  a  part  of  GMP-SHUFFLE.  The  fail  flag  will  sometimes  be  set  to 
TRUE  when  ANONYMIZE-S  is  run  as  a  part  of  GMP-BULK.  If  a  run  of  GMP-SHUFFLE  eompletes,  it 
ean  either  sueeeed  (Definition  6),  revealing  a  set  of  anonymized  messages,  or  fail  (Definition  7),  in 
whieh  ease  some  faulty  member(s)  are  blamed.  The  VERIFY- PROOF- S  algorithm  is  used  to  validate 
a  proof  of  a  member’s  misbehavior  produeed  upon  a  protoeol  failure. 

3.2  The  Setup-S  Algorithm 

SETUP-S(r;i)  takes  eaeh  member’s  publie  signing  key  Vi  as  input,  and  outputs  a  session  nonee  hr,  a 
set  K  of  all  members’  signing  keys,  an  ordering  of  members  r,  and  a  fixed  message  length  L. 

3.3  The  Anonymize-S  Algorithm 

The  purpose  of  ANONYMlZE-s(mi,  K,  ur,  t,  f)  when  run  by  eaeh  member  in  a  group  on  the  eollee- 
tive  input  messages  M  is  to  produee  anonymized  messages  M' .  ANONYMiZE-S  takes  a  message  m 
of  a  fixed  length  L,  K,  ur,  t,  and  a  fail  flag  /  as  input.  A  protoeol  run  of  ANONYMiZE-S  sueeeeds 
for  member  i  if  an  internal  flag  SUCCESS*  is  set  to  TRUE  after  eompletion  of  ANONYMiZE-S  and 
fails  otherwise.  After  a  sueeessful  eompletion  of  a  protoeol  run,  member  i  outputs  (SUCCESS,  M*'), 
where,  as  we  show  in  Seetion  5,  eonsists  of  N  messages  ineluding  every  message  submitted  by 
an  honest  member.  After  a  protoeol  failure,  member  i  produees  (failure,  blame*,  4)-  BLAME* 
ineludes  proofs  pj  =  {j,  c)  for  eaeh  member  j  for  whom  a  eheek  c  of  her  behavior  failed  in  Phase  6 
from  Ts  point  of  view.  At  least  one  of  the  following  eheeks  always  fails  for  some  member  j  from  i’s 
point  of  view  provided  that  SUCCESS*  =  FALSE.  In  sueh  situation  a  proof  pj  is  added  to  BLAME*. 
The  eheeks  are  listed  in  the  order  they  are  applied  by  member  i  during  the  protoeol.  Eaeh  eheek 
is  assoeiated  with  a  eheek  number  that  ANONYMIZE- S  uses  to  form  a  proof  of  a  partieular  form  of 
misbehavior,  and  VERIFY-PROOF-S  uses  to  eonfirm  a  reeord  of  that  misbehavior. 

•  Cheek  1  (ci):  Ineomplete  log  or  equivoeation  (different  versions  of  messages  in  released 
logs). 

•  Cheek  2  (02):  Mismatehed  inner  key  pair  in  Phase  5. 

•  Cheek  3  (03):  Empty  inner  private  key  in  Phase  5  without  a  justifying  GOk  =  FALSE  or 
broadeast-hash  inequality. 

•  Cheek  4  (04):  Mismatehed  outer  key  pair  or  empty  outer  private  key  in  Phase  6  regardless  of 
a  GOfc  =  FALSE  message  or  broadeast-hash  inequality. 


9 


•  Check  5  (cs):  Invalid  public  key  in  Phase  1. 

•  Check  6  (ce):  Invalid  commitment  in  Phase  2a. 

•  Check  7  (cy):  Incorrect  commitment  or  invalid  ciphertext  or  identity  in  Phase  2b. 

•  Check  8  (cs):  Incorrect  set  of  permuted  ciphertexts  after  decryption  in  Phase  3. 

•  Check  9  (cg):  Invalid  ciphertext(s)  after  decryption  in  Phase  3. 

•  Check  10  (cio):  Duplicate  ciphertext(s)  after  decryption  in  Phase  3. 

•  Check  11  (cii):  Incorrect  GOj  in  Phase  4. 

•  Check  12  (C12):  Incorrect  broadcast  hash  in  Phase  4. 

For  every  member  i,  a  complete  log  includes  messages  sent  and  received  within  SETUP- S  and  the 
following  messages  for  each  phase  of  ANONYMIZE- S: 

•  SETUP-S:  All  protocol  messages. 

•  Phase  1:  Sent:  jin,  received:  fj,ki  for  all  k  ^  i. 

•  Phase  2a:  Sent:  received:  ^f^2a  for  all  k  ^  i. 

•  Phase  2b:  Sent:  fii2b,  received:  if  i  =  1,  then  ii]^2b  for  all  k  i,  if  i  ^  1,  then  no  message. 

•  Phase  3:  Sent:  received:  if  i  =  1,  then  no  message,  if  i  /  1,  then 

•  Phase  4:  Sent:  Hi4,  received:  ^^4  for  all  k  ^  i. 

•  Phase  5:  Sent:  //js,  received:  for  all  k  ^  i. 

•  Phase  6:  Sent:  received:  for  all  k  ^  i. 

Algorithm  description.  ANONYMlZE-s(mi,  K,  ur,  r,  /) 

•  Phase  1 :  Generation  of  Inner  and  Outer  Key  Pairs. 

Each  member  i  chooses  two  ephemeral  encryption  key  pairs  and 

and  broadcasts 

hii  =  1,  i}siG„^. 

Member  i  verifies  that  the  messages  she  receives  contain  valid  public  keys.  If  the  verification 
fails,  member  i  sets  an  internal  flag  GO*  to  FALSE  to  indicate  that  a  step  of  the  protocol  failed. 

•  Phase  2a:  Data  Commitment. 

Each  member  i  encrypts  her  datum  m*  with  all  members’  inner  public  keys,  in  reverse  order 
from  to 

—  {^^2}  jpub  j-pub  • 


10 


Member  i  stores  the  inner  eiphertext  C[  for  later  use,  then  further  enerypts  C[  with  all  mem¬ 
bers’  outer  publie  keys  to  obtain  the  outer  eiphertext 

Ci  =  Qpub  ,Qpub  . 

If  a  publie  key  released  by  some  member  j  was  invalid,  i  generates  and  uses  a  random  key 
for  j  to  allow  the  protoeol  to  go  forward. 

Now  member  i  ealeulates  a  non-malleable  eommitment  to  Ci  and  i 

Xi  =  COMMITlCjji} 


and  broadeasts 


I^i2a  —  2 a,  z} . 


Member  i  waits  to  reeeive  sueh  a  message  from  every  other  member  and  then  verifies  that 
they  inelude  valid  eommitments.  If  they  do  not,  GO*  is  set  to  FALSE. 


•  Phase  2b:  Data  Submission. 

Member  i  sends  member  1  an  opening  of  her  eommitment 

=  {OPEN{Xi},  nij,  2b,  i}SIG„;. 

Member  1  verities  that  eaeh  ^i2b  sueeessfully  opens  Xi  and  that  the  result  is  a  valid  eiphertext 
and  i.  If  not,  member  1  sets  GOi  to  FALSE. 


•  Phase  3:  Anonymization. 

Member  1  eolleets  the  results  of  opening  the  eommitments  into  a  veetor  Cq  =  (Ci, . . . ,  Cn), 
randomly  permutes  its  elements,  then  strips  one  layer  of  eneryption  from  eaeh  eiphertext 
using  private  key  to  form  Ci.  Member  1  sends  to  member  2 

/^13  =  {Ci,nR,  3,  l}SIG„j. 

Each  member  1  <  i  <  in  turn  accepts  Ci-i,  permutes  it  randomly,  strips  one  layer 
of  encryption  using  key  to  form  Ci,  then  sends  Hi^  =  {Ci,  ur,  3,  ijsiGu,  to  member 
i  +  1.  Member  N  similarly  creates  and  broadcasts  it  to  all  members.  Member  i  skips 
decryption  for  any  invalid  ciphertext  in  Cj_i.  Any  member  i  who  detects  a  duplicate  or 
invalid  ciphertext  in  Ci  sets  GO*  to  FALSE. 

•  Phase  4:  Verification. 

All  members  now  hold  Cn,  which  should  be  a  permutation  of  , . . . ,  Each  member  i 
verifies  fhaf  her  own  inner  cipherfexf  C'  is  included  in  and  sefs  GO*  fo  FALSE  if  nof.  If 
/  =  TRUE  fhen  member  i  always  sefs  GO^  =  FALSE  regardless  of  fhe  above  verificalion.  If 
/  =  FALSE  and  fhe  GOi  Hag  has  nof  yef  been  sef  fo  FALSE,  if  is  now  sef  fo  TRUE. 

Each  member  i  creafes  a  vector  B  of  all  broadcasf  messages  -  fhaf  is,  messages  for  which  iden- 
fical  copies  should  have  been  delivered  to  all  members  -  from  prior  phases:  all  members’  pub¬ 
lic  key  messages  from  phase  1,  all  members’  commilmenf  messages  from  phase  2a,  and  mem¬ 
ber  A^’s  phase  3  message  confaining  Cat.  Thus,  B  =  (/Uii,  .  .  .  , /U7V1, /^12a,  •  •  •  ,  PA2a,  MAfs)- 
Member  i  broadcasfs 

/ii4  =  {GOi,HASH{.B},nK,  4,z}siGn;. 


11 


•  Phase  5:  Key  Release  and  Deeryption. 

Case  1.  If  member  i  reeeives  GOj  =  TRUE  and  HASH{i?j}  =  HASHjSj}  from  every  member 
j,  and  her  GOj  =  TRUE,  then  member  i  destroys  her  eopy  of  C[  and  broadeasts  her  inner 
private  key  to  all  members 


P-iS  —  5,  i}SIGt[^ . 

Upon  reeeiving  messages  from  every  other  member,  member  i  verifies  that  eaeh  non-empty 
inner  private  key  is  valid  and  eorresponds  to  the  publie  key  If  member  i  reeeives 
at  least  one  empty  key  or  if  any  key  pair  fails  the  verifieation,  then  i  sets  the  internal  flag 
SUCCESSj  to  FALSE. 

Otherwise,  SUCCESS*  is  set  to  TRUE  and  member  i  removes  the  N  levels  of  eneryption  from 
Cat,  resulting  in  M'^  =  {m'l, . . . ,  m'^},  the  anonymized  set  of  messages  submitted  to  the 
protoeol. 

Case  2.  If  member  i  reeeived  GOj  =  FALSE  or  HASH{i?j}  /  HASH{.Bj}  from  any  member 
j,  or  her  own  flag  GO*  =  FALSE,  then  member  i  destroys  her  inner  private  key  and  sends 
to  all  members  an  empty  string  instead  of  her  inner  private  key. 

Member  i  broadeasts 

/ij5  —  {0,  Tin,  5 ,  i} siG**^ 
and  sets  the  internal  flag  SUCCESS*  to  FALSE. 

•  Phase  6:  Blame. 

Case  1.  Member  i’s  SUCCESS*  =  TRUE.  In  this  ease,  member  i  aeknowledges  a  sueeessful 
eompletion  of  the  protoeol.  Member  i  ereates  a  veetor  T  of  all  signed  messages  she  sent  and 
reeeived  in  Phases  1-5,  and  broadeasts 

/r*6  =  {T,nR,  6,i}SIG**.. 

Now,  member  i  outputs  (SUCCESS,  M[),  whieh  eompletes  the  protoeol. 

Case  2.  Member  Ps  SUCCESS*  =  FALSE  and  for  every  member  j  GOj  =  TRUE  and 
HASH{Bj}  =  HASHji?*}. 

Member  i  keeps  her  outer  private  key  0?“^  seeret,  and  broadeasts  an  empty  string  instead  of 
her  key  and  a  veetor  T  of  all  signed  messages  she  sent  and  reeeived  in  Phases  1-5 

^*6  =  {0,f,nR,  6,i}SIG***. 

Case  3.  Member  i’s  SUCCESS*  =  FALSE  and  for  any  member  y  GOj  =  FALSE  or  HASH{i3j}  / 
HASH{i?*}.  Member  i  broadeasts  her  outer  private  key  permutation  vr*  and  a  veetor  T 
of  all  signed  messages  she  sent  and  reeeived  in  Phases  1-5 

^■*6  —  {^i  6,i}SIG**^. 


12 


Now,  member  i  eontinues  with  the  following  steps  if  she  exeeuted  Case  2  or  Case  3.  If 
member  i  exeeuted  Case  1,  then  the  protoeol  has  eompleted. 

Upon  reeeiving  a  message  fXjQ  from  every  other  member  j,  member  i  inspeets  every  log  T 
and  diseards  any  message  in  T  that  is  not  properly  signed  or  does  not  have  the  eorreet  round 
or  phase  number.  Then,  member  i  verifies  eaeh  member  j’s  T  to  ensure  that  it  eontains  all 
messages  sent  and  reeeived  by  j  in  Phases  1-5  as  well  as  that  the  eontents  of  all  messages 
ineluded  in  T  mateh  the  eorresponding  messages  in  the  other  T  logs  of  other  members.  For 
every  member  j  whose  T  is  ineomplete  or  for  whom  different  versions  of  any  message 
are  revealed,  member  i  sets  pj  =  (j,  ci),  where  ci  indieates  the  failed  eheek  number,  and 
adds  Pj  to  BLAMEj.  If  there  is  an  ineomplete  T  or  an  equivoeation  is  observed,  member  i 
ereates  a  log  li  of  the  protoeol  run  that  eonsists  of  all  messages  sent  and  reeeived  by  i  during 
SETUP-S  and  ANONYMIZE-S.  Then,  member  i  outputs  (eailure,  BLAMEj,  £j),  whieh  eon- 
eludes  the  protoeol. 

Otherwise,  member  i  uses  those  messages  in  the  T  logs  but  not  sent  to  i  to  eomplete  her 
view  of  Phases  1-5,  and  thus  she  proeeeds  to  examine  the  remaining  part  of  the  protoeol. 
She  begins  by  verifying  the  inner  and  outer  key  pairs  revealed  by  other  members.  Member  i 
blames  eaeh  member  j  who  revealed  his  inner  private  key  and  for  whom  the  verifieation 

of  his  key  pair  failed  in  Phase  5.  Member  i  sets  pj  =  (j,  C2)  and  adds  pj  to 

BLAME*  Then,  for  every  member  j  who  sent  an  empty  inner  private  key  in  Phase  5,  member 
i  eheeks  the  GOfc  flags  and  broadeast  hashes.  Member  i  blames  eaeh  member  j  whose  inner 
private  key  was  empty  if  there  is  no  GO^  =  EALSE  or  non-matehing  broadeast  hash.  Member 
i  sets  Pj  =  (j,  C3)  and  adds  pj  to  BLAME*.  For  every  member  j  who  revealed  his  outer  private 
key  in  Phase  6,  member  i  eheeks  if  the  outer  private  key  is  valid  and  eorresponds  to  the 
outer  publie  key  In  addition,  for  every  member  j  who  sent  an  empty  outer  private  key 

in  Phase  6,  member  i  eheeks  the  veetor  T  in  pjQ  of  all  messages  sent  and  reeeived  by  j  to 
verify  that  she  justifies  not  sending  by  showing  that  in  Phase  4  every  GO=TRUE  and  all 
broadeast  hashes  were  the  same.  For  every  member  j  whose  outer  private  key  is  invalid  or 
non-matehing,  or  who  was  not  justified  in  withholding  the  outer  private  key,  member  i  sets 
Pj  =  {j,  C4)  and  adds  pj  to  BLAME*. 

Member  i  eontinues  by  replaying  the  protoeol  from  the  perspeetive  of  every  member  j  using 
that  member’s  revealed  messages  and  keys.  Any  member  who  does  not  follow  the  protoeol 
given  the  messages  she  reeeives  is  added  to  BLAME*.  More  preeisely,  member  i  examines  the 
aetions  of  the  other  members  in  eaeh  phase  as  follows: 

-  Sub-Phase  1:  For  every  member  j  who  sends  an  invalid  publie  key,  member  i  sets 
Pj  =  {j,  C5)  and  adds  pj  to  BLAME*. 

-  Sub-Phase  2a:  For  every  member  j  who  sends  an  invalid  eommitment,  member  i  sets 
Pj  =  {j,  ce)  and  adds  pj  to  BLAME*. 

-  Sub-Phase  2b:  For  every  member  j  who  sends  an  opening  that  does  not  sueeessfully 
open  her  eommitment  or  that  does  not  result  in  a  valid  eiphertext  and  identity  j,  member 
i  sets  Pj  =  {j,  C7)  and  adds  pj  to  BLAME*. 

-  Sub-Phase  3:  In  the  ease  that  all  outer  private  keys  are  revealed  and  all  outer  private 


13 


keys  correspond  to  the  outer  public  keys,  member  i  checks  that  every  member  j  sends  a 
permutation  of  the  decrypted  valid  ciphertexts  and  the  invalid  ciphertexts  as  contained 
in  Cj-i.  For  any  member  that  fails  this  check,  member  i  sets  pj  =  (j,  cq)  and  adds  pj  to 
BLAME*.  Member  i  further  checks  that  the  submitted  ciphertexts  do  not  cause  failures  by 
producing  duplicate  or  invalid  ciphertexts  after  decryption.  If  the  submitted  ciphertext 
Cj  of  member  j  contains  an  invalid  ciphertext  after  d  decryptions,  1  <  d  <  A^,  then 
member  i  sets  pj  =  {j,  cg)  and  adds  pj  to  BLAME*.  If  the  submitted  ciphertexts  Cj  and 
Ck  of  members  j  ^  k  decrypt  to  the  same  ciphertext  after  d  decryptions,  1  <  d  <  A^, 
then  member  i  blames  members  j  and  k.  Member  i  sets  pj  =  (j,  cio)  and  pk  =  {k,  cio), 
and  then  adds  pj  and  p^  to  BLAME*. 

-  Sub-Phase  4:  In  the  case  that  all  outer  private  keys  are  revealed  and  all  outer  private  keys 
correspond  to  the  outer  public  keys,  member  i  verifies  that  member  j  properly  reported 
GOj  =  FALSE  based  on  the  messages  seen  by  j  in  Phases  1-3.  At  least  one  of  the 
following  checks  must  have  failed  from  j ’s  point  of  view  to  justify  a  GOj  =  FALSE. 

*  Sub-Sub-Phase  1:  Member  i  verifies  fhe  validify  of  public  keys  using  messages 
(/Uii, . . . ,  pNi)  senf  by  all  members. 

*  Sub-Sub-Phase  2a:  Member  i  verifies  fhe  correcfness  of  fhe  submiffed  commif- 
menfs  using  {pua,  •  •  • ,  I^N2a)- 

*  Sub-Sub-Phase  2b:  (This  check  is  done  only  for  member  1)  Member  i  verifies  fhaf 
fhe  commifmenls  correspond  fo  fhe  cipherlexfs  and  fhaf  fhe  resulfing  cipherfexfs 
and  idenfifies  are  valid  using  {pi2a,  •  •  • ,  dN2a)  and  {pi2b,  •  •  • ,  dN2b)- 

*  Sub-Sub-Phase  3:  Member  i  verifies  fhaf  fhere  are  no  duplicafe  or  invalid  cipher- 
lexis  sen!  from  j  using 

*  Sub-Sub-Phase  4:  Member  i  verifies  fhaf  j’s  inner  cipherlexl  C'  is  included  in  Cn- 
To  determine  C*',  member  i  opens  fhe  commilmenl  Xj  and  decrypls  fhe  resulting 
cipherlexl  wilh  each  of  fhe  oufer  privale  keys. 

If  all  of  fhe  above  checks  were  successful  and  GOj  =  FALSE,  fhen  member  i  sels  pj  = 
(j,  cii)  and  adds  pj  lo  BLAME*. 

In  addilion,  member  i  checks  if  fhe  HASH{.Bj}  fhaf  she  received  in  is  correclly 
calculaled  from  fhe  broadcasl  messages.  If  nol,  member  i  sels  pj  =  (j,  C12)  and  adds  pj 
lo  BLAME*. 

To  conclude  fhe  protocol,  member  i  creales  a  log  £*  consisting  of  fhe  messages  sen!  and  received 
during  SETUP-S  and  ANONYMiZE-s  and  oulpuls  (failure,  blame*,  £*). 

3.4  Verify-Proof-S  Algorithm 

VERlFY-PROOF-s(pj,  £*)  is  used  lo  verify  a  member  j’s  misbehavior.  The  algorilhm  lakes  as  inpul 
a  proof  Pj  and  a  log  £*.  If  should  be  fhaf  pj  =  {j,  c),  where  j  is  a  member’s  idenlifier  and  c  is 
fhe  number  of  a  check  which  failed  for  j  from  i’s  poinl  of  view.  £*  should  be  i’s  log  of  a  prolo- 
col  run,  including  all  messages  senf  and  received  by  member  i  in  SETUP-S  and  ANONYMiZE-S. 
VERIFY-PROOF-S  oulpuls  TRUE  if  pj  is  a  verifiable  proof  of  j’s  misbehavior  based  on  £*  and  FALSE 
olherwise. 


14 


3.4.1  Algorithm  description. 

VERIFY-PROOF- S {pj ,  £i) 

•  Step  1:  Proof  verification.  Verify  that  pj  =  {j,  c),  where  c  is  a  valid  check  number  and  j  is  a 
valid  member  identifier.  If  so,  fhen  proceed  fo  fhe  nexf  phase.  Ofherwise,  oufpuf  FAFSF  and 
slop. 

•  Slep  2:  Log  verificalion.  All  messages  included  in  log  ii  are  verified  lo  ensure  lhal  signalures 
on  fhe  included  messages  are  valid.  Each  message  is  checked  lo  verify  lhal  il  conlains  a  cor- 
recl  round  nonce  given  Ihe  execution  of  Ihe  SFTUP-S  algorilhm  and  a  correcl  phase  number. 
All  messages  wilh  invalid  signalures,  round  nonces  or  phase  numbers  are  discarded.  If  Ihe 
resulting  log  does  nol  include  all  messages  lhal  were  supposed  lo  have  been  senl  and  received 
by  i  during  SFTUP-S  and  ANONYMIZF-S,  as  described  in  Ihe  descriptions  of  Ihose  algorilhms, 
Ihen  oulpul  FALSE  and  slop. 

Olherwise,  verify  lhal  Ihe  logs  of  all  senl  and  received  messages  revealed  in  Phase  6  by 
every  member  j  are  complete  and  consistent  Thai  is,  for  every  message  pjQ,  consider  Ihe 
included  vector  T.  Discard  any  message  in  T  lhal  is  nol  properly  signed  or  does  nol  have  Ihe 
correcl  round  or  phase  number,  and  inspecl  every  T  to  verify  lhal  il  includes  all  messages  senl 
and  received  in  Phases  1-5.  Then,  for  every  message  recorded  as  senl  by  one  member  and 
received  by  anolher,  check  lhal  Ihe  conlenls  malch,  and,  for  every  message  lhal  is  supposed  to 
be  a  broadcast  check  lhal  Ihe  conlenls  of  all  observed  copies  malch.  If  any  T  is  incomplete 
or  inconsislenl  and  c  /  ci,  Ihen  oulpul  FALSE  and  stop.  Olherwise,  if  c  =  ci  or  all  logs  are 
complete  and  consistent  Ihen  proceed  to  Ihe  nexl  phase. 

•  Step  3:  Proof  verification  decision. 

If  all  T  logs  were  determined  to  be  complete  and  consistent  £i  is  augmented  to  conlain  all 
Phase  1-5  messages  senl  and  received  by  all  members.  Olherwise,  c  =  ci,  and  a  log  li  of 
jusl  i’s  perspective  will  be  sufficient  The  resulting  £i  is  examined  as  follows  to  verify  lhal  j 
failed  check  c: 

-  If  c  =  Cl,  Ihen  we  wish  to  verify  lhal  member  j  senl  an  incomplete  T  or  equivocated  in 
Ihe  protocol. 

Using  message  pje,  which  is  eilher  of  Ihe  form  {T,  ur,  6,  j}siG„^,  {0,  T,  ur,  6, 
or  {Oj“,  VTj,  T,  Ur,  6,  jjsiGtj^,  depending  on  j’s  execution  of  Ihe  protocol,  check  if  T 
conlains  all  messages  senl  and  received  by  j  in  Phases  1-5  such  lhal  all  messages  are 
properly  signed  and  include  correcl  phase  and  round  numbers.  If  il  does  nol,  then  output 
TRUE  and  stop.  Otherwise,  using  the  logs  T  in  the  messages  pk6  of  each  member  k,  de¬ 
termine  whether  there  exist  copies  of  a  message  that  are  properly  signed  with  correct 
round  and  phase  numbers  but  have  different  contents.  If  such  evidence  of  equivocation 
exists,  then  output  TRUE  and  stop;  else  output  FALSE  and  stop. 

-  If  c  =  C2,  then  we  wish  to  verify  that  member  j  sent  an  invalid  inner  key  pair. 

Check  if  j  sent  pj^  of  the  form  5,j}siGuj  in  Phase  5.  If  not,  then  output 

FALSE  and  stop.  If  yes,  then  using  messages  pji  =  {Ij'^^,0£^^,nR,  l,j}siGui  and 
Pj^,  check  if  and  is  a  valid  key  pair  under  the  chosen  encryption  scheme.  If 


15 


is  invalid  or  does  not  match  then  output  TRUE  and  stop,  else  output  FALSE 
and  stop. 

If  c  =  C3,  then  we  wish  to  verify  that  member  j  improperly  sent  an  empty  inner  key  in 
Phase  5. 

Check  if  j  sent  of  the  form  {0,  ur,  5,  ijsiGnj  in  Phase  5.  If  not,  then  output  FALSE 
and  stop.  If  so,  then  check  each  message  for  =  FALSE  or  a  non-matching 
HASH{i?fc}.  If  none  are  found,  then  output  TRUE  and  stop;  else  output  FALSE  and  stop. 

If  c  =  C4,  then  we  wish  to  verify  that  member  j  sent  an  invalid  outer  key  pair  or 
improperly  sent  an  empty  outer  private  key  in  Phase  6. 

Check  if  j  sent  Hje  of  the  form  T,  ur,  6,j}siGuj  in  Phase  6.  If  so,  then  using 

messages  /Xji  =  0^“^,  ur,  l,j}siGuj  and  fijQ,  check  whether  and  is 

a  valid  key  pair.  If  is  invalid  or  does  not  match  0^“^,  then  output  TRUE  and  stop. 

Otherwise,  check  if  j  sent  of  the  form  {0,T,  n/j,  6,z}siG„..  If  not,  then  output 
FALSE  and  stop.  If  so,  then  check  if  j  received  a  message  ^^4  from  some  member  k  that 
included  either  a  GO^  set  to  FALSE  or  a  non-matching  HASHjSfc}.  If  so,  then  output 
TRUE  and  stop;  else  output  FALSE  and  stop. 

If  c  =  C5,  then  we  wish  to  verify  that  member  j  sent  an  invalid  public  key  in  Phase  1. 
Using  jiji  =  nR,  1,  jlsiG^^,  check  if  and  are  valid  public  keys. 

If  or  is  not  a  valid  key,  then  output  TRUE  and  stop;  else  output  FALSE  and 
stop. 

If  c  =  cg,  then  we  wish  to  verify  that  member  j  sent  an  invalid  commitment  in  Phase 
2a. 

Using  ^j2a  =  {Xj,  Ur,  2a,  jlsiG^^.,  check  whether  Xj  is  a  valid  commitment.  If  it  is 
not,  then  output  TRUE  and  stop;  else  output  FALSE  and  stop. 

If  c  =  C7,  then  we  wish  to  verify  that  member  j’s  commitment  is  incorrect  or  results  in 
an  incorrect  ciphertext  or  identity. 

Using  i^j2a  =  {Xj,nR,  2a,  j}SIG„.  and  i^j2b  =  {OPEN{Xj}, ur,  2b,y}SIG„^.,  check 
whether  Xj  matches  OPEN{2fj}  and  results  in  a  valid  ciphertext.  If  Xj  does  not  match 
OPEn{Xj}  or  does  not  yield  a  valid  ciphertext  and  identity  j,  then  output  TRUE  and 
stop,  else  output  FALSE  and  stop. 

If  c  =  cs,  then  we  wish  to  verify  that  member  j  did  not  send  a  permutation  of  decrypted 
ciphertexts  in  Phase  3. 

Check  if  every  member  k  sent  ^^6  of  the  form  tt^,  T,  ur,  6,  k}siGu^  in  Phase  6. 

If  not,  then  output  FALSE  and  stop.  If  so,  then  using  ,  ur,  1,  k}siGu^. 

and  fikQ,  check  if  each  member’s  outer  keys  and  are  valid  and  matching. 
If  not,  then  output  FALSE  and  stop.  If  so,  then,  using  =  {Cj_i,nR,  3,  j  — 

l}siGn^_^,  ^j3  =  {Cj,nR,3,j}siGuj,  and  ^je,  check  whether  Cj  is  a  permutation 
of  decrypted  ciphertexts.  That  is,  using  TTj,  permute  the  elements  of  the  vector  Cj-i 
included  in  then  decrypt  each  valid  ciphertext  using  Oj‘^'^  and  verify  whether 

the  resulting  vector  matches  the  vector  in  ^j^.  If  they  do  not  match,  then  output  TRUE 
and  stop,  else  output  FALSE  and  stop. 


16 


If  c  =  cg,  then  we  wish  to  verify  that  member  j’s  deerypted  outer  eiphertext  Cj  results 
in  an  invalid  eiphertext. 

Cheek  if  every  member  k  sent  of  tho  form  tt^,  T,  ur,  6,  k}siGu^.  in  Phase  6. 

If  not,  then  output  FALSE  and  stop.  If  so,  then  using  ,  ur,  1,  k}siGu^. 

and  cheek  if  eaeh  member’s  outer  keys  and  0^“^  are  valid  and  matehing.  If 
not,  then  output  FALSE  and  stop.  If  so,  then  using  ^j2b  =  {open{Xj},  ur,  2b,  jjsiGuj, 
produee  eiphertext  Cj.  Then  use  the  outer  private  keys  to  iteratively  remove  the  layers 
of  eneryption  from  the  eiphertexts  in  Cj,  verifying  that  a  valid  eiphertext  is  produeed 
after  every  step.  If  at  any  point  an  invalid  eiphertext  is  produeed,  then  output  TRUE  and 
stop,  else  output  false  and  stop. 

If  c  =  cio,  then  we  wish  to  verify  that  member  j’s  deerypted  outer  eiphertext  Cj  results 
in  a  duplieate  eiphertext. 

Cheek  if  every  member  sent  fike  of  the  form  vr^,  T,  ur,  6,  /cjsiGuj,  in  Phase  6.  If 

not,  then  output  FALSE  and  stop.  If  so,  then  using  ,  ur,  1,  k}siGu^. 

and  eheek  if  eaeh  member’s  outer  keys  01®“^  and  are  valid  and  matehing.  If 
not,  then  output  FALSE  and  stop.  If  so,  then  using  the 

k‘k2b  =  {OPENjXfc},  n/j,  2h,  k}siGuf,  of  every  member  k,  produee  the  submitted  ei¬ 
phertexts  Ck-  Use  the  outer  private  keys  to  iteratively  remove  the  layers  of  eneryption 
from  the  valid  eiphertexts  in  eaeh  Ck,  and  if  at  any  point  the  result  for  Cj  is  the  same  as 
the  result  for  some  other  Ck,  then  output  TRUE  and  stop,  else  output  FALSE  and  stop. 

If  c  =  cii,  then  we  wish  to  verify  that  member  j  sent  an  ineorreet  GOj  in  Phase  4. 
Cheek  if  every  member  sent  fike  of  the  form  vr^,  T,  ur,  6,  k}siGu^.  in  Phase  6.  If 

not,  then  output  FALSE  and  stop.  If  so,  then  using  jiki  =  {^k^^7  k}siGu^. 

and  fj^kG,  eheek  if  eaeh  member’s  outer  keys  01®“^  and  0^“^  are  valid  and  matehing.  If 
not,  then  output  FALSE  and  stop.  If  so,  then  eheek  if  GOj  =  FALSE  in  /ij4.  If  not,  then 
output  FALSE  and  stop,  else  eontinue. 

*  A-S  Phase  1:  Using  (/in, . . . ,  fiNi)  cheek  whether  j  reeeived  valid  inner  and  outer 
publie  keys.  If  any  key  is  invalid,  then  output  FALSE  and  stop. 

*  A-S  Phase  2a:  Using  (/ii2a,  •  •  • ,  /iAr2a)  verify  whether  eommitments  {Xi, . . .  ,Xn) 
are  valid.  If  any  eommitment  is  invalid,  then  output  FALSE  and  stop. 

*  A-S  Phase  2b:  If  j  =  1,  then  using  (/i^a,  •  •  • ,  k-N2a)  and  •  •  • ,  lJ.N2b)  verify 
whether  Xk  matehes  OPENjXfc}  and  results  in  a  valid  eiphertext  and  identity  k 
for  all  k  G  C.  If  any  eommitment  does  not  properly  open  or  results  in  an  invalid 
eiphertext  or  identity,  then  output  FALSE  and  stop. 

*  A-S  Phase  3:  Using  fij^,  eheek  whether  the  eontained  set  of  eiphertexts  ineludes 
duplieate  or  invalid  eiphertexts.  If  there  is  an  invalid  or  duplieate  eiphertext,  then 
output  FALSE  and  stop. 

*  A-S  Phase  4:  Using  jij2b,  {k-w,  ■  ■  ■  j^ng),  and  km  verify  whether  j’s  inner  eipher¬ 
text  C'j  was  ineluded  in  Cat.  To  determine  Cj,  open  the  eommitment  Xj  ineluded 
in  kj2b  and  deerypt  the  resulting  eiphertext  with  eaeh  of  the  outer  private  keys  in- 
eluded  in  (/Tie,  •  •  • ,  kNG)-  If  the  calculated  C'  was  not  ineluded  in  Cn,  then  output 
FALSE  and  stop,  else  output  TRUE  and  stop. 


17 


-  If  c  =  ci2,  then  we  wish  to  verify  that  j  sent  an  ineorreet  HASh{5}.  Caleulate  B'  us¬ 
ing  messages  (/Un, . . . ,  //ati,  ^i2a,  •  •  • ,  ft7V2a,  fiATs)  reeeived  by  j.  Then,  eheek  whether 
HASHji?'}  matehes  the  HASHjil}  ineluded  in  ^^4.  If  HASh{B'}  /  HASh{5},  then 
output  TRUE,  else  output  FALSE. 

4  GMP-Bulk 

4.1  Protocol  Description 

The  Group  Messaging  Protoeol-Bulk  GMP-BULK  is  an  instantiation  of  the  Group  Messaging  Pro- 
toeol  and  eonsists  of  three  algorithms:  SETUP-B,  ANONYMIZE-B,  and  VERIEY-PROOF-B.  Eaeh 
member  i  submits  a  message  mi  of  variable  length  L,  to  the  ANONYMiZE-B  protoeol  after  all 
members  run  SETUP-B  to  agree  on  eommon  protoeol  run  parameters.  If  a  run  of  GMP-BULK  eom- 
pletes,  it  ean  either  sueeeed  (Definition  6)  or  fail  (Definition  7).  In  ease  of  a  protoeol  failure  the 
VERIFY-PROOE-B  protoeol  is  used  to  validate  the  proofs  of  member’s  misbehavior  generated  upon 
a  protoeol  failure. 

4.2  The  Setup-B  Algorithm 

SETUP-B  (uj)  takes  eaeh  member’s  publie  signing  key  Vi  as  input,  and  outputs  a  session  nonee  ur 
identifying  a  run  of  ANONYMiZE-B,  a  session  nonee  ur-^  identifying  a  run  of  ANONYMIZE-S  in 
Phase  3  of  ANONYMiZE-B,  and  a  session  nonee  ur^  identifying  a  run  of  ANONYMiZE-S  in  Phase  7 
of  ANONYMIZE-B,  a  set  K  of  members’  signing  keys  ,  and  an  ordering  of  members  r.  Sinee 
members  submit  messages  of  variable  lengths,  there  is  no  need  to  agree  on  a  fixed  message  lengfh 
L. 


4.3  The  Anonymize-B  Algorithm 

The  purpose  of  ANONYMlZE-B(mi,  K,  ur,  hr^  ,  hr^^t)  when  run  by  eaeh  member  in  a  group  on 
fhe  eolleefive  inpuf  messages  M  is  fo  produee  anonymized  messages  M' .  The  algorifhm  fakes  a 
message  m  and  fhe  oufpuf  of  SETUP-B  as  inpuf.  A  run  of  ANONYMiZE-B  sueeeeds  for  member 
i  if,  upon  eomplefion  of  ANONYMiZE-B,  her  infernal  flag  SUCCESS*  is  sef  fo  TRUE,  and  fails  if 
SUCCESS*  is  sef  fo  EALSE.  If  a  protoeol  run  sueeeeds,  fhen  member  i  oufpufs  (SUCCESS,  Mj'), 
where,  as  we  show  in  Seefion  5,  M[  eonsisfs  of  N  messages  ineluding  every  message  submitted 
by  an  honest  member.  If  a  protoeol  run  fails,  then  member  i  produees  (eailure,  BLAME*,  £*). 
BLAME*  ineludes  proofs  pj  =  (j,  c)  for  eaeh  member  j  for  whom  a  eheek  c  fails  in  Phase  7  from 
member  i’s  point  of  view.  The  eheeks  in  this  phase  are  as  follows,  listed  in  the  order  they  are 
applied  by  member  i  during  the  protoeol.  As  before,  eaeh  eheek  is  assoeiated  with  a  eheek  number 
that  ANONYMIZE-B  uses  to  form  a  proof  of  a  partieular  form  of  misbehavior,  and  VERlEY-PROOF-B 
uses  to  eonfirm  a  reeord  of  that  misbehavior. 

•  Cheek  1  (ci):  Equivoeation  in  Phase  4  or  Phase  5. 

•  Cheek  2  (02):  Eailure  of  ANONYMiZE-S  in  Phase  3  or  Phase  7  without  justifieation. 

•  Cheek  3  (03):  Empty  or  ineorreet  eiphertext(s)  sent  in  Phase  4. 


18 


•  Check  4  (C4):  Unverifiable  proof  included  in  the  notification  in  Phase  4. 

•  Check  5  (C5):  Invalid  public  key  sent  in  Phase  la. 

•  Check  6  (ce):  Equivocation  in  Phase  la. 

The  log  li  includes  all  messages  sent  and  received  by  i  during  SETUP-B  and  ANONYMIZE-B  as  well 
as  the  output  of  ANONYMIZE-S  in  Phase  3  and  Phase  7. 

For  every  member  j,  a  complete  log  consists  of  the  following  messages. 

•  SETUP-B:  All  protocol  messages. 

•  Phase  la:  Sent:  /Xjia,  received:  for  all  k  /  j. 

•  Phase  lb:  Sent:  fiju,  received:  ^kib  for  all  k  /  j. 

•  Phase  2:  No  messages. 

•  Phase  3:  Sent:  and  all  messages  sent  in  shuffle,  received:  for  all  k  /  j,  and  all 

messages  received  in  shuffle. 

ANONYMiZE-S  output:  Mj  =  if  ANONYMiZE-S  succeeds  or  BLAME^^.^^^  if 

ANONYMiZE-S  fails  as  well  as  all  messages  sent  and  received  within  the  protocol. 

•  Phase  4:  Sent:  fXj4,  received:  ^^4  for  all  k  /  j. 

•  Phase  5:  Sent:  fXj^,  received:  ^^5  for  all  k  /  j. 

•  Phase  6:  No  messages. 

•  Phase  7:  Sent:  fXjj  and  all  messages  sent  in  shuffle;  received:  for  all  k  ^  j  and  all 

messages  received  in  shuffle. 

ANONYMIZE-S  output:  Mj  =  ,  A'j^  if  ANONYMIZE-S  succeeds  or  BLAME*^,  if 

ANONYMIZE-S  fails  as  well  as  all  messages  sent  and  received  within  the  protocol. 

Algorithm  description.  ANONYMlZE-B(mj,  K,  ur,  ,  ur^^t) 

•  Phase  la:  Session  Key  Pair  Generation. 

Each  member  i  chooses  an  ephemeral  encryption  key  pair  {xi,yi)  and  broadcasts 

hiia  =  {yi,nR,  la,f}SIG„^. 


•  Phase  lb:  Key  Verification. 

After  receiving  a  public  key  from  every  member  j,  member  i  notifies  other  members  about 
the  set  of  keys  she  receives.  Member  i  creates  Kf  =  {pua,  ■  ■  ■ ,  hNia}  and  broadcasts 

hub  5  lb,  SIG^^ . 


19 


•  Phase  2:  Message  Deseriptor  Generation. 

Member  i  ereates  a  message  descriptor  di  of  a  fixed  length  A^.  Member  i  sets  Lj  =  0  if  she 
does  not  wish  to  send  a  message  in  this  protoeol  run  and  Li  to  the  desired  message  length  if 
she  wishes  to  send  a  message. 

Case  1.  Sueeessful  key  verifieation.  Member  i  verifies  eaeh  set  of  publie  keys  reeeived  in 
Phase  lb  to  ensure  that  other  members  reeeived  the  same  set  of  valid  publie  keys.  If  every 
K'^  eontains  the  same  set  of  publie  keys  and  every  publie  key  yj  G  is  valid,  then  member 
i  ehooses  a  random  seed  Sij  for  eaeh  member  j  and  generates  Li  pseudorandom  bits  from  Sij 
to  obtain  eiphertext 

Cij  —  PRNG{Z/j,  Sjj }  (j  i), 
where  Lj  and  Sij  are  of  fixed  lengths  for  all  members. 

Member  i  now  XORs  her  message  m,  with  eaeh  Cij  for  j  ^  ito  obtain  eiphertext  Cu: 

Cii  =  Cii  ©  ...  ©  ©  rrii  ©  ©  ...  ©  CiN 

Member  i  eomputes  hashes  Hij  =  HASH{(7ij},  enerypts  eaeh  seed  Sij  with  j’s  publie  key  to 
form  Sij  =  {sij}y^j  \  and  eolleets  the  Hij  and  Sij  into  veetors  Hi  and  Sp. 

Hi  —  (^Hii, . . . ,  Hi]^) 

Si  =  {Sii,  .  .  .  ,  Sijq) 

Member  i  forms  a  message  deseriptor  di,  whieh  has  a  fixed  length 

d,  =  {L,,Hi,Si}. 

Case  2.  Failed  key  verifieation.  If  any  Kj  eontains  a  non-matehing  set  of  keys  or  any  Kj 
eontains  an  invalid  key,  then  member  i  ereates  an  empty  message  deseriptor  of  the  desired 
length  Ad 


di  =  0^L 

Case  3.  No  message  to  send.  If  member  i  ehooses  not  to  send  a  message  in  this  protoeol  run, 
she  sets  L*  =  0  and  assigns  random  values  to  Hi  and  Si. 

Member  i  forms  her  message  deseriptor  di  as  follows  and  pads  it  to  the  desired  length  A^ 

d,  =  {Li,Hi,Si}. 

•  Phase  3:  Message  Deseriptor  Shuffle. 

Each  member  i  runs  the  ANONYMIZE-S  protocol  described  in  Section  3  using  {di,  K,  ,  r,  fi) 
as  input,  where  the  fixed-length  descriptor  di  is  the  secret  message  to  be  shuffled.  Member 
i  sets  fi  =  TRUE  if  i  created  an  empty  message  descriptor,  and  member  i  sets  fi  =  FALSE 
otherwise. 


20 


If  ANONYMIZE-S  succeeds,  member  i  has  a  list  M'  of  message  descriptors  in  some  random 
permutation  tt.  If  the  protocol  fails  outputting  (failure,  blame|\  member  i  saves 
BLAME*^  and£®\ 

If  member  i  set  /*  =  TRUE,  then  i  prepares  a  proof  p'  of  the  dishonest  member  j ’s  misbehavior 
to  distribute  to  other  members.  If  member  j  sent  an  invalid  key,  then  member  i  sets  p'  = 
(j,  c^,Pjia),  where  C5  indicates  the  failed  check  number  and  pjia  is  the  message  received  by 
i  in  Phase  la.  If  member  j  equivocated,  then  member  i  sets  p'  =  {j,  cg,  Pjia,  where 

Pjia  is  the  message  received  by  i  in  Phase  la  and  is  a  message  included  in  some 
that  contains  a  different  key  for  j  than  in  pjia-  If  there  is  more  than  one  culprit  member  j, 
member  i  chooses  one  j  to  blame  in  some  way  that  does  not  depend  on  her  message  (e.g. 
randomly).  If  member  i  received  all  valid  and  matching  keys,  then  member  i  sets  p'  =  0. 

Member  i  broadcasts: 

iTis  =  {p,nR,  3,r}SIG,.^. 

•  Phase  4:  Data  Transmission. 

Case  1.  If  ANONYMiZE-S  fails,  then  member  j  sets  GOj  =  FALSE  and  shares  her  blame  set 
BLAME®^  and  log  by  broadcasting 

Pji  =  {GO  j,  BLAME^'.^  if  ,  UR,  4,  j}SlGuj. 

Case  2.  If  ANONYMiZE-S  succeeds,  member  j  sets  GOj  =  TRUE  and  decrypts  each  encrypted 
seed  Sij  with  private  key  Xj  to  reveal  Sij .  If  Sij  matches  the  seed  Sjj  that  j  chose  for  herself  in 
her  own  descriptor,  then  j  sets  Cij  =  Cjj.  Otherwise,  j  sets  Cij  =  PRNG{Lj,  s^}.  Member 
j  then  checks  HASHlCij}  against  Hij.  If  the  hashes  match,  j  sets  =  Cij.  If  Sij  is  not 
a  valid  ciphertext,  Sij  is  not  a  valid  seed,  or  HAShIC^}  /  Hij,  then  j  sets  to  an  empty 
ciphertext,  =  {}. 

Member  j  now  sends  each  in  vr-shuffled  order  by  broadcasting 

Pji  {GOjT  ^7r(l)j’  •  •  •  >  ^n{N)j^  4,  j}SIGu^.. 

•  Phase  5:  Acknowledgment  Submission. 

Each  member  k  notifies  other  members  about  the  outcome  of  the  previous  phase. 

Case  1.  If  GOj  =  FALSE  for  any  member  j,  then  member  k  adds  each  message  pj^  containing 
GOj  =  FALSE  into  a  vector  14- 

Case  2.  If  GOj  =  TRUE  for  every  member  j  but  some  ciphertext  is  empty  or  satisfies 
HAShIC'j}  /  Hij,  fhen  slof  7r(i)  has  been  corrupfed.  Member  k  adds  each  message  pj^ 
confaining  such  a  corrupfing  cipherfexf  fo  a  vector  I4. 

Case  3.  If  GOj  =  TRUE  for  every  member  j  and  all  cipherfexfs  Ck  are  non-emply  and  satisfy 
HAShIC'j}  =  Hij,  fhen  member  k  sefs  Vk  =  {}. 

In  every  case  member  k  broadcasfs 

5 ,  A:}SIGtjj, . 


21 


•  Phase  6:  Message  Reeovery. 

If  GOi  =  TRUE  for  every  member  i,  then  for  eaeh  uneorrupted  slot  7r(i),  member  k  reeovers 
member  i’s  message  by  eomputing 


—  C'ii  ©  ...  ©  C'tv. 

If  14  =  {}?  then  from  member  k’s  point  of  view  none  of  the  slots  were  eorrupted  and  all 
messages  =  (m'^, . . . ,  m'j^)  were  sueeessfully  reeovered.  If  I4  /  {}?  then  some  message 
slot  was  eorrupted  or  a  step  of  the  protoeol  has  failed. 

•  Phase  7:  Blame. 

For  eaeh  member  i,  if  i  observed  a  eorrupted  slot  with  a  deseriptor  matehing  di  (there  may 
be  more  than  one)  and  reeeived  all  GOj  =  TRUE,  then  i  generates  an  accusation  naming 
the  member  j  who  sent  that  ineorreet  eiphertext.  If  there  is  more  than  one  eulprit  member, 
member  i  ehooses  one  to  blame  in  any  way  that  only  depends  on  the  output  of  ANONYMIZE-S 
and  on  Eaeh  aeeusation  has  a  fixed  length  Aq,  indieates  the  eorrupted  slot  vr(z),  eontains 
the  seed  Sij  that  i  assigned  j,  and  eontains  the  random  bits  that  i  used  to  enerypt  the  seed: 

Ai  =  {j,TT{i),Sij,Rij}. 

Each  member  i  who  does  not  have  an  accusation  to  send  submits  the  empty  accusation 
Ai  =  0^“. 

These  accusations  will  be  sent  anonymously  using  the  ANONYMIZE- S  protocol.  However, 
before  running  it,  members  look  for  evidence  of  equivocation  in  the  previous  two  rounds. 
Every  member  i  compares  each  message  ^'  4  that  she  received  in  some  I4  in  Phase  5  with 
the  message  that  she  received  directly  from  j  in  Phase  4.  If  the  contents  of  these  do  not 
match,  ignoring  any  ^'  4  with  an  improper  signature  or  incorrect  round  or  phase  number,  then 
member  sets  fi  =  TRUE  to  cause  ANONYMIZE- S  to  fail  in  order  to  inform  other  members 
about  the  equivocation.  If  all  such  messages  match,  member  i  sets  fi  =  FALSE. 

Member  i  thenruns  ANONYMlZE-s(Aj,  K,  nn^^T,  fi).  After  ANONYMiZE-S  completes,  there 
is  an  opportunity  for  members  who  deliberately  failed  the  shuffle  fo  disfribufe  evidence  of 
equivocafion.  Eor  a  member  i  who  sef  fi  =  TRUE  because  of  conflicting  messages  4  and 
tijA,  i  creates  a  proof  of  j’s  equivocation  by  selling  p'  =  {j,  ci,  pj4,  /u'4).  If  Ihere  is  more 
lhan  one  culpril  member  j,  member  i  chooses  one  j  lo  blame  in  any  way  lhaf  depends  af  mosl 
on  Ihe  broadcasl  messages  and  sen!  and  received  by  i.  If  member  i  had  fi  =  FALSE, 
Ihen  i  sels  p'  =  0.  Member  i  Ihen  broadcasls 


Pi7  =  {p',nR,  7,f}siG,.^. 

Eel  Ok  be  Ihe  oulpul  of  Ihe  ANONYMIZE- S  protocol  for  member  k.  After  receiving  a  message 
Pi7  from  every  olher  member  i,  member  k  executes  one  of  Ihe  following  cases. 


22 


Case  1:  Ok  =  (FAILURE,  BLAME^^,  £^2). 

Member  k  sets  SUCCESS^  =  FALSE.  Then  k  eonsiders  every  blame  entry  (i,  c)  G  BLAME^^. 
If  c  /  cii,  then  i  eould  not  have  justifiably  eaused  the  blame  shuffle  fo  fail,  and  so  k  adds 
{i,  C2)  fo  BLAMEfc.  Ofherwise  c  =  cn,  and  member  k  looks  in  Hif  for  possible  juslifiealion  of 
fhe  failure.  If  iJ,ij  does  inelude  fwo  versions  of  fhe  same  eipherfexf  (ineluded  in  properly 
signed  messages  fhaf  inelude  eorreef  phase  and  round  numbers)  for  some  member  j,  fhen  k 
adds  {j,  Cl)  fo  BLAMEfc.  Ofherwise,  k  adds  {i,  C2)  fo  BLAME^. 

Case  2:  Ok  =  (SUCCESS,  M^^)  and  I4  =  {}. 

Member  k  sefs  SUCCESS^  =  TRUE. 

Case  3:  Ok  =  (SUCCESS,  M^^)  and  I4  ineludes  eipherfexfs. 

k  eheeks  fhe  validify  of  every  aeeusafion  Ai  =  {j,  7r(f),  Sij,  Rij)  in  fhaf  fargefs  an  in- 
eorreef  eipherfexf  reeeived  by  k.  To  do  so,  k  replays  fhe  enerypfion  =  {sij}yj\  eheeks 
fhaf  fhe  enerypfed  seed  Sij  ineluded  in  di  mafehes  Sk,  and  eheeks  fhaf  fhe  hash  Hij  in  di 
mafehes  HASH{PRNG{Lj,  Sjj}},  where  Li  is  also  obfained  from  di.  If  fhe  aeeusafion  is  valid, 
fhen  member  k  adds  (j,  C3)  fo  BLAME^.  If  ineludes  no  valid  aeeusafion  fargefing  an 
ineorreef  eipherfexf  reeeived  by  k,  fhen  k  sefs  SUCCESS*;  =  TRUE.  Ofherwise,  member  k  sefs 
SUCCESS*;  =  FALSE. 

Case  4\  Ok  =  (SUCCESS,  M^^)  and  I4  eonfains  GO*  =  FALSE  for  some  i. 

Member  k  sefs  SUCCESS*,  =  FALSE.  Then  k  eonsiders  every  GO*  =  FALSE  in  V*,. 

Member  k  eheeks  Hi^  fo  see  if  fhe  eonfained  blame  sef  and  log  eonsfifufe  a  valid  proof  of 
some  member  j’s  misbehavior.  To  do  so,  member  k  eheeks  fhaf  02  eonfains  n/jj  as  fhe 
round  number  fhaf  is  a  resulf  of  SETUP-B  and  fhaf  VERIFY- PROOF-S (pj, £-^)  =  TRUE  for 
some  pj  G  BLAME®k  If  nof,  fhen  member  k  blames  i  by  adding  (f,  C4)  fo  BLAME*,.  If 
so,  fhen  k  eonsiders  every  pj  G  BLAMEj'^  sueh  fhaf  VERIFY- PROOF-S (pj,  =  TRUE.  If 
Pj  /  (j,  cii),  fhen  member  k  adds  (j,  C2)  to  BLAME*,.  If  pj  =  (j,  cn),  then  member  k 
examines  pjs  to  see  if  member  j  justifiably  eaused  a  failure  of  ANONYMIZE-S  fo  expose  bad 
key  disfribufion  by  some  member  i.  If  ineludes  an  invalid  key  ip  in  a  properly  signed 
message  wifh  eorreef  round  and  phase  numbers,  fhen  member  k  adds  {£,  C5)  fo  BLAME*,.  If 
ineludes  fwo  differenl  versions  of  publie  key  yi  in  properly  signed  messages  wifh  eorreef 
round  and  phase  numbers,  fhen  member  adds  {£,  ce)  fo  BLAME*,.  Ofherwise,  k  adds  (j,  C2) 
fo  BLAME*;. 

In  every  ease,  k  eoneludes  as  follows.  If  SUCCESS*,  =  TRUE,  k  oufpufs  (SUCCESS,  M^). 
Ofherwise,  member  k  ereafes  a  log  £*,  of  fhe  profoeol  run  fhaf  all  messages  sen!  and  reeeived 
by  k  during  SETUP-B  and  ANONYMIZE-B  as  well  as  fhe  oufpuf  of  fhe  ANONYMiZE-S  profoeol 
in  Phases  3  and  7.  Member  k  oufpufs  (failure,  blame*,,  £*,). 

4.4  Verify-Proof-B  Algorithm 

The  VERIFY- PROOF-B (pj,  £j)  algorifhmis  usedfo  verify  a  member’s  misbehavior.  VERIFY-PROOF-B 
fakes  as  inpuf  a  proof  pj  and  a  log  0.  A  proof  pj  should  eonsisf  of  a  fuple  (j,  c),  where  j  is  a  mem¬ 
ber’s  idenfifier  and  c  indieafes  fhe  eheek  fhaf  failed  for  member  j  from  member  f ’s  poinf  of  view.  A 


23 


log  should  include  all  messages  sent  and  received  during  SETUP-B  and  ANONYMIZE-B  by  mem¬ 
ber  i  as  well  as  the  output  of  ANONYMIZE- S  in  Phases  3  and  7.  The  protocol  outputs  TRUE  if  pj  is 
a  proof  of  j’s  misbehavior  given  Ts  log  and  EALSE  otherwise. 

Algorithm  description. 

VERIFY-PROOE-B(pj, 

•  Step  1 :  Proof  verification. 

Verify  that  pj  includes  a  valid  check  number  c  and  member  identifier  j.  If  fhe  proof  pj  is 
valid,  fhen  proceed  fo  fhe  nexf  phase.  If  pj  is  invalid,  fhen  oufpuf  FALSE  and  slop. 

•  Slep  2:  Log  verificalion. 

All  messages  included  in  fhe  log  are  verified  fo  ensure  lhal  signalures  on  included  messages 
are  valid  given  fhe  included  member  idenlifier.  Each  message  is  checked  fo  verify  lhal  if 
conlains  a  correcf  round  nonce  given  fhe  execulion  of  fhe  SETUP-B  prolocol  and  a  correcl 
phase  number.  All  messages  wilh  invalid  signalures,  round  nonces,  or  phase  numbers  are 
discarded.  If  fhe  resulling  log  does  nol  include  all  messages  lhal  were  supposed  fo  have  been 
senl  and  received  by  i  during  SETUP-B  and  ANONYMiZE-B,  as  described  in  Ihe  descriplions 
of  Ihose  algorilhms,  as  well  as  Ihe  oulpul  of  ANONYMIZE-S  in  Phases  3  and  7,  Ihen  oulpul 
FALSE.  Olherwise,  proceed  lo  Ihe  nexl  phase. 

•  Slep  3:  Proof  verificalion  decision. 

Log  li  is  examined  as  follows  lo  verify  lhal  j  failed  check  c: 

-  If  c  =  Cl,  Ihen  we  wish  lo  verify  lhal  member  j  equivocated  in  Phase  4  or  Phase  5. 

Check  if  ANONYMiZE-S  failed  in  Phase  7.  If  nol,  Ihen  oulpul  FALSE  and  slop.  If  yes, 
Ihen  use  log  lo  check  each  message  pk-j  =  {p',  ur,  7,  k}siGu^.-  If  no  p'  is  of  Ihe 
form  where  and  pj^  are  properly  signed  messages  wilh  correcl 

round  and  phase  numbers  and  are  of  Ihe  form  {true,  Ci, . . . ,  Cn,  nji,  4,  jjsiGtj  for 
some  cipherlexls  Ci,  Ihen  oulpul  FALSE  and  slop.  Else,  if  pj^  and  /i'4  conlain  differenl 
messages  for  any  such  p',  Ihen  oulpul  TRUE  and  slop.  Else  oulpul  FALSE  and  slop. 

-  If  c  =  C2,  Ihen  we  wish  lo  verify  lhal  member  j  caused  a  failure  of  ANONYMIZE- S  in 
Phase  3  or  Phase  7  wilhoul  juslificalion. 

Check  if  eilher  ANONYMiZE-S  failed  in  Phase  7  or  Ihere  was  some  pki  in  Vi  wilh  GO^  = 
FALSE.  If  nol,  Ihen  oulpul  FALSE  and  slop. 

If  ANONYMIZE-S  failed  in  Phase  7,  Ihen  consider  each  proof  pj  G  BLAME^^  blaming 
j.  Verify  lhal  VERlFY-PROOF-s(pj,  1'®^)  =  TRUE  and  lhal  uses  riR^  as  Ihe  round 
number,  and  if  nol  discard  Ihis  proof.  Olherwise,  if  pj  /  (j,  cn)  Ihen  oulpul  TRUE  and 
slop.  If  instead  pj  =  (j,  cn),  Ihen  we  musl  check  whelher  j  caused  a  prolocol  failure 
in  order  lo  dislribule  a  proof  of  equivocation  of  some  olher  member  k.  Using  message 
k-j7  =  {p' ^  tir,  l,j}siGuj,  check  if  p'  is  of  Ihe  form  {k,  ci,  p'j.^)  wilh  k  ^  j  and 
where  pkA  and  p'j.^  have  differenl  conlenls  and  are  properly  signed  wilh  correcl  round 
and  phase  numbers.  If  nol,  Ihen  oulpul  TRUE  and  slop.  If  no  proof  resulls  in  an  oulpul 
of  TRUE,  Ihen  oulpul  FALSE  and  slop. 


24 


Otherwise,  the  blame  shuffle  sueeeeded  for  i,  but  some  member  indieated  a  failure  of 
the  deseriptor  shuffle.  For  every  k  that  sent  a  fXkA  of  the  form 

{false,  Ur,  4,  kjsiGu^.,  eonsider  every  proof  pj  G  blame^^  blaming 

j.  Verify  that  VERIFY- PROOF-S (pj,  =  TRLfE,  and  that  the  round  number  in  is 

and  if  not  diseard  this  proof.  Otherwise,  if  pj  /  (j,  cn),  then  output  TRUE  and 
stop.  If  instead  pj  =  (j,  cn),  then  we  must  eheek  whether  j  eaused  a  protoeol  failure 
in  order  to  distribute  a  proof  of  misbehavior  of  some  other  member  k.  Using  message 
=  {p'ynR,  3,y}siG„^.,  eheek  if  (/)  p'  is  of  the  form  {k,  c^jPkia)  with  k  ^  j  and 
where  pkia  contains  an  invalid  publie  key  yk  and  is  properly  signed  with  eorreet  round 
and  phase  numbers,  or  (//)  p'  is  of  the  form  {k,  cg,  pkia,  p'kia)  ^  /  J  where  the 
keys  in  pkia  and  are  unequal  and  both  messages  are  properly  signed  with  eorreet 
round  and  phase  numbers.  If  not,  then  output  TRUE  and  stop.  If  no  proof  pj  results  in 
an  output  of  TRUE,  then  output  FALSE  and  stop. 

If  c  =  C3,  then  we  wish  to  verify  that  member  j  sent  an  empty  or  ineorreet  eiphertext 
C'f^-  in  Phase  4. 

Cheek  if  (/)  j  sent  pji  of  the  form  {true,  •  •  • ,  Cpj^p,nR,  4,  j}siG„^  in  Phase  4, 

and  (//)  ANONYMIZE- S  in  Phase  7  sueeeeded  for  member  i  with  an  aeeusation  Ak  = 
{j,  7r(A:),  Skj,Rkj}  naming  j  as  a  faulty  member  in  its  output.  If  not,  then  output  FALSE 
and  stop. 

Otherwise,  we  need  to  eheek  that  the  aeeusation  against  j  is  valid.  Doing  so  requires 
eomparing  the  aeeusation  to  the  deseriptors  reeeived  by  j.  We  need  to  be  sure  that  j 
reeeived  the  deseriptors  elaimed  by  i.  To  do  so,  first  reeompute  the  hash  of  broadeast 
messages  in  Phases  1-3  of  the  deseriptor  shuffle  and  eompare  it  to  the  hash  that  i  sent  in 
Phase  4  of  that  shuffle.  If  the  hashes  are  not  the  same,  output  FALSE  and  stop.  Otherwise, 
further  eompare  them  to  the  hash  sent  by  j  in  Phase  4  of  the  deseriptor  shuffle.  If  they 
do  not  mateh,  output  FALSE  and  stop. 

Otherwise,  examine  the  inner  private  keys  reeeived  by  i  in  Phase  5  of  the  deseriptor 
shuffle.  If  any  key  is  invalid  or  does  not  mateh  its  publie  key  7^^^,  output  FALSE 
and  stop. 

Otherwise,  use  these  keys  to  deerypt  the  inner  eiphertexts  eontained  in  the  final  broad- 
east  of  Phase  3.  Let  {Lk,  Hk,  Sk}  be  the  resulting  deseriptor  in  the  slot  7r(/c)  pointed 
to  by  the  aeeusation.  Reeall  that  is  the  eiphertext  for  this  slot  that  j  sent  to  i  in 

message  pj4^.  Cheek  if  (/)  HASh{C'{.^^^^.}  does  not  mateh  the  hash  in  the  jth  element 
of  Hk,  (ii)  the  eneryption  of  the  aeeusation  seed  Skj  under  the  key  sent  in  pjia  using 
the  random  bits  Rkj  of  the  aeeusation  is  equal  to  the  yth  enerypted  seed  in  Sk,  and  (iU) 
HASH{PRNG{Lfc,  Sfcj}}  is  equal  to  the  hash  in  the  yth  element  of  Hk-  If  not,  output 
FALSE  and  stop.  If  so,  output  TRUE  and  stop. 

If  c  =  C4,  then  we  wish  to  verify  that  member  j  unjustifiably  reported  in  Phase  4  a 
failure  of  ANONYMIZE- S. 

Cheek  if  j  sent  pj4  of  the  form  {false,  BLAME^^,7^\  n-ij,  4,  jjsiGu^.  If  not,  then 
output  FALSE  and  stop.  If  so,  examine  to  see  if  j  justifiably  eaused  failure  of  the 
deseriptor  shuffle.  If  (/)  it  eontains  an  invalid  key  yk  in  a  properly  signed  message  with 
eorreet  round  and  phase  numbers,  or  (ii)  it  eontains  two  different  versions  of  the  same 


25 


key  Uk  in  properly  signed  messages  with  correct  round  and  phase  numbers,  then  output 
FALSE  and  stop. 

Otherwise,  check  if  (/)  does  not  contain  the  round  number  that  is  the  output  of 
SETUP-B  in  li,  or  (//)  Vpi  G  BLAME^^  VERIFY-PROOF-S(pj,  )  =  FALSE.  If  SO,  then 
output  TRUE  and  stop,  else  output  FALSE  and  stop. 

-  If  c  =  C5,  then  we  wish  to  verify  that  member  j  sent  an  invalid  key  in  Phase  la. 

Check  if  =  {v' 3,/c}siGtjj,  sent  by  any  member  k  contains  p'  of  the  form 
(j,  C5,  pjia),  where  pjia  contains  an  invalid  public  key  yj  and  is  properly  signed  with 
correct  round  and  phase  numbers.  If  yes,  then  output  TRUE  and  stop,  else  output  FALSE 
and  stop. 

-  If  c  =  C6,  then  we  wish  to  verify  that  member  j  equivocated  in  Phase  la  and  sent  two 
different  public  keys. 

Check  if  any  pks  =  {p',  nn,  3,  k}siGu^.  contains  p'  of  the  form  (j,  ce,  Pjia,  p'jia) 
that  pjia  and  have  different  message  contents  and  are  properly  signed  with  correct 
round  and  phase  numbers.  If  yes,  then  output  TRUE  and  stop,  else  output  FALSE  and 
stop. 


5  Security  properties  and  proofs 

In  this  section,  we  formally  define  and  analyze  integrity,  accountability,  and  anonymity  and  prove 
that  DISSENT  satisfies  these  properties.  These  definitions  are  precise  versions  of  the  notions  used 
by  Corrigan-Gibbs  and  Ford  (2010). 

5.1  Notation 

Let  G  be  the  set  of  all  members  participating  in  the  protocol,  H  be  the  set  of  honest  members 
and  D  the  set  of  dishonest  members.  For  security  properties  expressed  as  a  game  between  an 
adversary  A  and  challenger  C,  we  denote  the  output  of  the  adversary  as  .  We  use  A(G*)  to 
denote  \Pr  [G'*(0)  =  l]  —  Pr  [G*(l)  =  l]  |,  which  is  the  advantage  of  game  G*.  We  also  use  b  to 
indicate  the  complement  of  bit  6:  6  =  1  —  b. 

5.2  Preliminary  Definitions 

We  use  the  following  technical  definitions,  some  making  precise  notions  discussed  earlier  and  some 
introduced  here,  to  express  the  security  definitions,  theorems,  and  proofs. 

Definition  5.  A  function  is  negligible  in  an  input  if  it  is  non-negative  and  goes  to  zero  with  that  input 
asymptotically  faster  than  any  inverse  polynomial.  The  input  is  assumed  to  be  a  security  parameter 
unless  otherwise  stated. 

Definition  6.  A  protocol  run  of  a  GMP  protocol  succeeds/or  member  i  if  the  ANONYMIZE  algorithm 
terminates  with  output  (SUCCESS,  M'). 

Definition  7.  A  protocol  run  of  a  GMP  protocol  fails /or  member  i  if  the  ANONYMIZE  algorithm 
terminates  with  output  (failure,  blame*,  £*). 


26 


Definition  8.  A  member  is  honest  if  she  faithfully  carries  out  the  protocol  according  to  its  specifi¬ 
cation,  does  not  cooperate  with  the  adversary,  and  is  not  under  his  control. 

Definition  9.  A  member  is  dishonest  if  she  is  not  honest. 

Definition  10.  A  group  member  i  blames  member  j  if  pj  G  BLAMEj  upon  a  protocol  failure  resulting 
in  (failure,  BLAMEj,  . 

Definition  11.  A  verifiable  proof  of  j’s  misbehavior  given  ii  isapj  such  that  VERlFY-r’ROO¥{p  j ,  £i)  = 
TRUE. 

Definition  12.  A  group  member  i  exposes  member  j  if  i  holds  a  verifiable  proof  of  j’s  misbehavior 
given  a  log  ii  of  a  protocol  run  in  which  member  j  participated  using  his  long-term  signing  key  Uj. 

5.3  Integrity 

Definition  13.  A  Group  Messaging  Protocol  GMP  offers  integrity  if  after  a  complete  run  of  the 
protocol  involving  N  group  members 

1.  each  honest  member  i  terminates  with  either  (SUCCESS,  Mf)  or  (FAILURE,  BLAMEj,  ii),  and 

2.  for  every  honest  member  who  terminates  with  (SUCCESS,  M'f),  except  with  negligible  proba¬ 
bility,  M[  contains  exactly  N  of  the  same  messages,  includes  each  honest  member’s  message, 
and  has  the  messages  in  the  same  order. 

In  Seetion  5.3.1  we  provide  a  proof  that  the  GMP-SHUFFLE  protoeol  maintains  integrity.  See- 
tion  5.3.2  eontains  a  proof  for  the  GMP-BULK  protoeol.  The  proofs  are  struetured  as  follows.  First, 
we  show  that  a  protoeol  run  ean  either  sueeeed  or  fail  for  eaeh  honest  i.  Then,  we  show  that  eaeh 
honest  i  who  sueeeeds  obtains  a  same  set  M'  of  exaetly  N  messages  that  ineludes  every  honest 
member’s  message. 

5.3.1  The  GMP-Shufffe  Protocol 

We  will  show  that  the  GMP-SHUFFLE  protoeol  terminates  either  with  sueeess  or  failure,  depending 
on  the  outeome  of  the  verifieation  in  Phase  4  and  the  key  release  and  deeryption  in  Phase  5.  If  both 
phases  eomplete  sueeessfully,  then  member  i  reeovers  seeret  messages  submitted  to  the  protoeol  and 
the  protoeol  eompletes  outputting  (SUCCESS,  M[).  If  any  step  of  Phase  4  or  5  fails,  then  member  i 
outputs  (failure,  BLAMEj,  li)  after  exeeuting  the  blame  proeedures  in  Phase  6. 

Lemma  1.  After  a  complete  run  o/ GMP-SHUFFLE,  each  honest  group  member  i  terminates  with 
either  (SUCCESS,  Mf)  or  (FAILURE,  BLAMEj,  ii). 

Proof.  After  running  ANONYMIZE-S,  eaeh  honest  member  i’s  internal  SUCCESSj  flag  is  set  to  ei¬ 
ther  TRUE  or  FALSE  indieating  the  outeome  of  the  protoeol  from  i’s  point  of  view.  Member  i  has 
SUCCESSj  =  TRUE  only  if  in  Phase  4  she  has  a  “go”  message  and  reeeives  a  eomplete  set  of  “go” 
messages  and  matehing  broadeast  hashes  from  every  member,  and  in  Phase  5  she  reeeives  a  eom¬ 
plete  set  of  non-empty  and  matehing  inner  private  keys  from  every  member.  Otherwise,  member  i’s 
flag  is  set  to  FALSE. 

For  every  honest  member  i,  ANONYMiZE-S  outputs  (SUCCESS,  M')  if  SUCCESSj  =  TRUE  and 
(failure,  BLAMEj,  ^j)  if  SUCCESSj  =  FALSE.  Henee,  eaeh  protoeol  run  of  GMP-SHUFFLE  termi¬ 
nates  with  either  (SUCCESS,  Mf)  or  (FAILURE,  BLAMEj,  £*)  for  every  honest  group  member  i.  □ 


27 


Lemma  2.  For  every  honest  member  i  who  terminates  with  (SUCCESS,  M[)  after  running  GMP-SHUFFLE, 
except  with  negligible  probability,  M'  includes  the  same  N  messages,  includes  each  honest  mem¬ 
ber’s  message,  and  has  the  messages  in  the  same  order. 

Proof.  Let  i  be  an  honest  member  for  whom  the  protoeol  run  sueeeeds.  Aeeording  to  the  protoeol 
speeifieation,  i  terminated  with  (SUCCESS,  Mf)  beeause  (/)  in  Phase  4  her  own  GO*  =  TRUE,  (//) 
in  Phase  4  she  reeeives  messages  sueh  that  GOj  =  TRUE  and  HASHjSj}  =  HASH{5j}  for  every 
member  j  G  G,  and  {Hi)  in  Phase  5  she  reeeived  non-empty  inner  private  keys  sueh  that  matehed 
for  every  j  G  G. 

Bi  eontains  all  broadeast  messages  member  i  sent  and  reeeived  in  Phases  1-3,  and  thus,  by 
(/)  and  (//)  and  the  assumption  that  the  hash  funetion  is  seeond-preimage  resistant,  member  i  is  in 
possession  of  the  same  Cn  and  inner  publie  keys  as  every  other  honest  member  j,  exeept  with  neg¬ 
ligible  probability.  Furthermore,  {in)  applies  to  every  honest  j  for  whieh  the  protoeol  is  sueeessful, 
and  so  every  sueh  j  has  inner  private  keys  that  mateh  the  common  inner  public  keys. 

Thus,  member  i  can  decrypt  each  ciphertext  included  in  using  her  set  of  inner  private  keys 
to  obtain  N  messages,  and  the  resulting  list  contains  the  same  messages  in  the  same  order  as  each 
honest  user  j  that  successfully  terminates.  Moreover,  because  member  j  sends  i  GOj  =  TRUE,  the 
inner  ciphertext  C'  must  be  in  their  common  Cjv-  Therefore,  after  decryption,  i  obtains  the  message 
ruj  of  each  honest  member  j.  □ 

Theorem  1.  The  GMP-SHUFFLE  protocol  offers  integrity. 

Proof.  Following  Lemma  1  we  know  that  each  honest  group  member  i  terminates  with  either 
(success,  M^')  or  (failure,  BLAMEj,  after  a  complete  protocol  run  of  GMP-SHUFFLE.  Fol¬ 
lowing  Lemma  2  we  know  that,  for  every  honest  member  who  terminates  with  (SUCCESS,  M^'), 
except  with  negligible  probability,  contains  the  same  N  messages  in  the  same  order,  including 
each  honest  member’s  message.  Thus  the  GMP-SHUFFLE  protocol  offers  integrity.  □ 

5.3.2  The  GMP-Bulk  Protocol 

We  will  show  that  the  GMP-BULK  protocol  terminates  either  with  success  or  failure,  depending 
on  the  outcome  of  the  shuffle  in  Phase  3  and  Phase  7.  If  ANONYMIZE-S  succeeds  in  Phase  3,  all 
ciphertext  G[j  are  correct,  and  ANONYMiZE-S  succeeds  in  Phase  7,  or  if  there  is  no  valid  accusation 
for  each  that  is  incorrect  after  ANONYMIZE- S  in  Phase  7  succeeds,  then  the  protocol  completes 
successfully  outputting  (SUCCESS,  Mf).  Otherwise,  the  protocol  fails,  member  i  executes  the  blame 
procedures  and  outputs  (FAILURE,  BLAMEj,  £*). 

Lemma  3.  After  a  complete  run  o/ GMP-BULK,  each  honest  group  member  i  terminates  with  either 
(success.  Ml)  or  (failure,  BLAMEj,  G). 

Proof.  After  running  ANONYMIZE-B,  each  honest  member  i’s  internal  SUCCESS*  flag  is  set  to  ei¬ 
ther  TRUE  or  FALSE  indicating  the  outcome  of  the  protocol  from  i’s  point  of  view.  Member  i  has 
SUCCESS*  =  TRUE  only  if  in  Phase  4  she  receives  a  correct  and  complete  set  of  ciphertexts  for 
every  k  G  G  and  the  ANONYMiZE-S  protocol  succeeds  in  Phase  7,  or  there  is  no  valid  accusation 
in  Phase  7  for  every  incorrect  ciphertext  received  in  Phase  4  following  a  successful  run  of  the 
ANONYMIZE-S  protocol  in  Phase  7.  Otherwise,  member  i’s  flag  is  set  to  FALSE. 


28 


For  every  honest  member  i,  ANONYMIZE-B  outputs  (SUCCESS,  M')  if  SUCCESS*  =  TRUE  and 
(failure,  BLAMEj,  fj)  if  SUCCESS*  =  FALSE.  Henee,  eaeh  protoeol  run  of  GMP-BULK  terminates 
with  either  (SUCCESS,  or  (FAILURE,  BLAME*,  ii).  □ 

Lemma  4.  For  every  honest  member  i  who  terminates  with  (SUCCESS,  M[)  after  running  GMP-BULK, 
except  with  negligible  probability,  M[  includes  the  same  N  messages,  M[  includes  each  honest 
member’s  message,  and  the  messages  in  M-  are  in  the  same  order. 

Proof.  Assume  that  there  exists  an  honest  member  i  for  whom  GMP-BULK  terminates  sueeessfully. 
Then,  aeeording  to  the  protoeol  speeifieation,  it  must  be  that  (/)  eaeh  member  k  ^  G  sends  i 
GOk  =  TRUE  in  Phase  4,  (ii)  the  run  of  the  ANONYMIZE-S  protoeol  eompletes  sueeessfully  for  i  in 
Phase  7,  and  (Hi)  either  HAShIC*'^}  =  Hjk  for  all  eiphertexts  reeeived  by  i  in  Phase  4  or  no  valid 
aeeusation  is  reeeived  in  Phase  7  for  any  eiphertext  sueh  that  HAShIC'^}  /  Hj^. 

The  deseriptor  and  blame  shuffles  are  exeeuted  by  ealling  ANONYMiZE-S  using  the  parameters 
produeed  by  SETUP-B.  These  parameters  are  produeed  in  the  same  way  that  SETUP-S  does  as  part  of 
GMP- SHUFFLE,  and  therefore  Theorem  1  applies  to  the  deseriptor  and  blame  shuffles.  Thus  every 
honest  member  for  whom  the  deseriptor  shuffle  is  sueeessful,  exeept  with  negligible  probability, 
obtains  the  same  N  message  deseriptors  in  the  same  order,  ineluding  a  message  descriptor  for  each 
honest  member.  By  (/),  the  descriptor  shuffle  is  successful  for  every  honest  member,  and  thus  they 
all  obtain  these  same  descriptors.  Similarly,  every  honest  member  for  whom  the  blame  shuffle  is 
successful  obtains  the  same  N  accusations  in  the  same  order,  including  each  accusation  from  an 
honest  member.  By  (ii),  the  blame  shuffle  is  successful  for  every  honest  member  for  whom  the  bulk 
protocol  is  successful,  and  thus  they  all  obtain  these  same  accusations. 

Therefore,  if  honest  members  receive  different  ciphertexts  in  Phase  4,  the  second-preimage 
resistance  of  the  hash  implies  that  at  least  one  of  the  ciphertexts  must  not  match  the  corresponding 
hash.  The  recipient  of  that  ciphertext  would  report  the  corruption  in  Phase  5,  and  the  equivocation 
would  prevent  the  accusation  shuffle  from  succeeding  for  any  honest  member,  contradicting  (ii). 

Thus  all  honest  members  that  successfully  terminate  must  have  the  same  sequence  of  N  de¬ 
scriptors  and  the  same  ciphertexts.  This  implies  that  these  members  obtain  the  same  N  messages  in 
the  same  order  from  the  bulk  protocol. 

In  addition,  as  shown,  the  descriptors  obtained  by  every  honest  member  include  the  descriptors 
of  all  of  the  honest  members  in  the  same  slots.  Because  each  honest  member  receives  the  same 
ciphertexts,  any  corruption  of  an  honest  member’s  slot  would  be  seen  by  that  member.  That  member 
would  then  produce  an  accusation  which,  as  we  have  described,  would  be  obtained  from  the  blame 
shuffle  by  all  honest  members  who  terminate  successfully.  This  would  contradict  condition  (Hi) 
of  successful  termination.  Therefore,  no  slot  containing  an  honest  member’s  descriptor  can  be 
corrupted  at  an  honest  user.  This  implies  that  the  messages  obtained  by  an  honest  member  from 
successful  termination  of  the  bulk  protocol  must  contain  the  messages  of  all  honest  members.  □ 

Theorem  2.  The  GMP-bulk  protocol  offers  integrity. 

Proof.  Following  Lemma  3  we  know  that  each  honest  group  member  i  terminates  with  either 
(success,  Mj')  or  (failure,  BLAME*,  £*)  after  a  complete  protocol  run  of  GMP-BULK.  Follow¬ 
ing  Lemma  4  we  know  that,  for  every  honest  member  who  terminates  with  (SUCCESS,  M'),  except 
with  negligible  probability,  M[  contains  the  same  N  messages  in  the  same  order,  including  each 
honest  member’s  message.  Thus  the  GMP-BULK  protocol  offers  integrity.  □ 


29 


5.4  Accountability 

Definition  14.  A  Group  Messaging  Protocol  GMP  ojfers  accountability  if,  after  a  complete  protocol 
run, 

1.  the  BLAME*  set  of  any  honest  member  ifor  whom  the  protocol  failed  is  non-empty, 

2.  no  honest  member  is  exposed,  except  with  negligible  probability,  and 

3.  an  honest  member  exposes  every  member  she  blames. 

These  properties  must  hold  even  when  the  protocol  run  is  preceded  by  other  protocol  runs. 

In  Section  5.4.1  we  prove  that  the  GMP-SHUFFLE  protocol  offers  accountability.  Section  5.4.2 
contains  a  corresponding  proof  for  the  GMP-BULK  protocol. 

The  checks  of  each  protocol  form  the  backbone  of  each  proof.  A  main  argument  of  the  proofs 
is  that  the  protocol  fails  when  one  of  the  checks  fails,  each  such  failure  for  i  results  in  an  addition  to 
BLAME*,  and  because  VERIFY-PROOF  uses  the  same  checks  each  such  addition  exposes  the  blamed 
member.  In  addition,  the  round  nonces,  phase  numbers,  and  member  identities  included  in  each 
signed  message  prevent  an  adversary  from  creating  a  log  that  contains  anything  but  the  actual  mes¬ 
sages  sent  by  an  honest  member  in  a  given  round  and  phase.  The  protocols  ensure  that  these  sent 
messages  include  the  messages  received  by  the  honest  member  where  necessary.  Thus  an  honest 
member  is  always  seen  in  the  log  as  behaving  correctly  and  is  not  exposed. 

5.4.1  The  GMP-Shuffle  Protocol 


Lemma  5.  If,  after  a  complete  run  o/ GMP-SHUFFLE,  SUCCESS*  =  FALSE/or  an  honest  member  i, 
then  BLAME*  is  non-empty,  and  every  proof  it  contains  is  verifiable  given  log  £*. 

Proof.  We  will  show  that,  whenever  SUCCESS*  =  FALSE,  i  adds  a  proof  pj  to  BLAME*,  and  ev¬ 
ery  proof  it  adds  is  verifiable.  In  fact,  it  suffices  fo  show  fhaf,  whenever  SUCCESS*  =  FALSE,  i 
adds  a  proof  pj  fo  BLAME*,  because  if  is  sfraighfforward  fo  see  fhaf  any  such  pj  is  verifiable.  In 
VERIFY-PROOF-S,  proof  verificalion  of  pj  (Step  1)  always  succeeds,  because  pj  always  includes 
valid  check  number  and  member  idenlifier;  log  verificalion  of  £*  (Step  2)  always  succeeds  because 
fhe  profocol  complefes  by  assumption,  and  i  adds  all  her  messages  fo  log  £*;  and  fhe  proof  verifica- 
fion  decision  (Step  3)  always  succeeds  because  if  oufpufs  TRUE  given  pj  for  exacfly  fhe  same  logs 
in  which  i  adds  pj  fo  BLAME*. 

Therefore,  we  can  simply  show  fhaf,  whenever  fhe  profocol  fails  for  i,  a  proof  is  added  fo 
BLAME*.  In  ANONYMIZE-S,  SUCCESS*  =  FALSE  upon  protocol  completion  only  in  fhe  following 
fhree  cases:  (1)  in  Phase  4,  GO*  =  FALSE  or  a  non-mafching  broadcasf  hash  is  received,  (2)  in 
Phase  4,  GO^  =  FALSE  for  some  /c  /  i,  (3)  in  Phase  5,  an  empfy,  invalid,  or  non-mafching  inner 
private  key  is  received.  In  any  of  fhese  cases,  if  an  inconsisfenf  or  incomplefe  T  log  is  received  in 
some  pjQ,  fhen  (j,  ci)  is  added  to  BLAME*.  Therefore  we  assume  from  fhis  poinf  on  fhaf  all  T  logs 
are  complefe  and  consisfenf  and  proceed  to  examine  these  cases  separately. 

Suppose  case  (1)  occurs.  We  consider  the  conditions  in  each  of  the  phases  up  to  Phase  4  that 
can  cause  GO*  =  EALSE,  and  we  identify  in  each  case  a  proof  pj  that  must  be  added  to  BLAME*: 


30 


•  In  Phase  1,  an  invalid  public  key  must  be  received  from  some  j.  Then  pj  =  (j,  C5). 

•  In  Phase  2a,  an  invalid  commitment  must  be  received  from  some  j.  Then  pj  =  (j,  ce). 

•  In  Phase  2b,  a  commitment  opening  must  fail  or  result  in  an  invalid  ciphertext  or  identity. 
Then  Pj  =  (^,07). 

•  In  Phase  3,  Ci  must  have  an  invalid  or  duplicate  ciphertext.  If  some  member  j  releases  an 
empty,  invalid,  or  non-matching  outer  private  key  in  Phase  6,  then  pj  =  (j,  C4).  Otherwise,  i 
replays  the  permutations  and  decryptions  of  Phase  3.  During  the  replay,  if  some  member  j  did 
not  correctly  permute  and  decrypt  her  inputs,  then  pj  =  {j,  cg).  Otherwise,  i  must  observe  a 
member  j  whose  commitment  value  decrypted  either  to  an  invalid  ciphertext,  in  which  case 
Pj  =  {j,  cg),  or  to  a  duplicate  ciphertext,  in  which  case  pj  =  (j,  cio). 

•  In  Phase  4,  it  could  be  that  the  inner  ciphertext  C'  is  not  in  Ctv.  In  this  case,  as  in  the 
previous  one,  if  some  member  j  releases  an  empty,  invalid,  or  non-matching  outer  private  key 
in  Phase  6,  then  pj  =  {j,  C4).  Otherwise,  i  replays  Phase  3  and  during  the  replay  must  observe 
some  member  j  who  did  not  correctly  permute  and  decrypt  her  inputs.  Then  pj  =  (j,  cs). 
It  could  also  be  that  a  non-matching  broadcast  hash  is  received  from  j,  in  which  case  j  must 
have  sent  an  incorrect  hash,  and  pj  =  (j,  C12). 

Next  suppose  case  (2)  occurs.  If  some  member  j  releases  an  empty,  invalid,  or  non-matching 
outer  private  key  in  Phase  6,  then  pj  =  (j,  C4).  Otherwise,  i  replays  the  protocol.  If  any  member  j 
sent  an  invalid  public  key  or  an  invalid  commitment,  then  pj  =  (j,  C5)  or  pj  =  {j,  cg),  respectively. 
If  /c  =  1  and  commitment  opening  failed  or  resulted  in  an  invalid  ciphertext  for  some  j,  then 
Pj  =  (j,  C7).  If  there  were  invalid  or  duplicate  ciphertexts  in  Ck,  then  i  must  observe  a  member 
j  who  either  did  not  correctly  permute  and  decrypt  her  inputs,  in  which  case  pj  =  {j,  cg),  or 
committed  to  a  value  that  decrypted  to  an  invalid  or  duplicate  ciphertext,  in  which  case  pj  =  (j,  cg) 
or  Pj  =  (j,  cio),  respectively.  If  the  inner  ciphertext  of  member  k  is  not  included  in  Cn,  then  there 
must  be  some  member  j  who  did  not  correctly  permute  and  decrypt  her  inputs,  and  pj  =  (j,  cs). 
Otherwise,  k  incorrectly  set  GO^,  and  pj  =  (j,  cn)  with  j  =  k. 

Finally,  suppose  case  (3)  occurs.  An  empty  inner  private  key  can  only  be  justified  by  a  GO^  = 
FALSE  for  some  k  or  n  non-matching  broadcast  hash  from  some  j.  In  either  case  we  have  already 
identified  fhe  pj  added  by  i.  If  an  empfy  key  from  some  j  is  nol  juslified,  fhen  pj  =  (j,  C3).  If  an 
invalid  or  non-mafching  inner  privafe  key  is  received  from  some  j,  fhen  pj  =  {j,  C2). 

Thus  we  have  shown  fhaf  hones!  member  i  adds  some  proof  pj  fo  BLAMEj  whenever  SUCCESS*  = 
FALSE,  and  furfhermore  fhaf  any  such  pj  is  a  verifiable  proof  given  log  £*.  □ 

Lemma  6.  An  honest  member  j  is  not  exposed  after  a  run  o/GMP-SHUEELE,  except  with  negligible 
probability. 

Proof.  Suppose  fhaf  fhe  adversary  exposes  an  honesl  member  j.  Thai  is,  suppose  fhaf  he  produces  a 
proof  Pj  and  log  £*  such  fhaf  VERlFY-PROOF-s(pj,  4)  =  TRUE.  To  pass  fhe  inilial  proof  verificalion, 
if  musl  be  fhe  case  fhaf  pj  =  (c,  j).  To  pass  fhe  log  verificalion,  if  musl  be  fhe  case  eilher  fhaf  c  =  ci 
or  fhaf  all  fhe  T  logs  in  fhe  pjg  of  are  complele  and  consislenf. 

Each  message  in  ANONYMIZE-S  idenlifies  fhe  sender  and  is  signed  by  fhaf  sender.  By  fhe  EUF- 
CMA  properly  of  fhe  signalure  scheme,  fhe  adversary  is  nol  able  lo  forge  a  signalure  under  any 
honesl  member’s  key,  excepl  wilh  negligible  probabilily,  and  Iherefore  any  message  signed  by  j  in 
musl  have  been  senl  by  j.  Eurlhermore,  each  message  idenlifies  fhe  round  and  phase  for  which 
fhaf  message  was  senl.  An  honesl  member  sends  exaclly  one  message  during  each  phase  of  a  given 


31 


round.  Therefore,  every  message  in  from  j  must  have  aetually  been  sent  during  that  round  and 
phase  by  j. 

Given  these  faets,  we  ean  go  through  eaeh  possible  eheek  and  show  that  for  eaeh  one  the  needed 
log  evidenee  eannot  exist.  Whenever  we  refer  to  message  we  are  referring  to  the  message  that 
ii  indieates  was  sent  by  member  k  in  phase  (j). 

Suppose  that  c  =  ci.  Then  for  the  proof  to  verify,  £i  must  eontain  either  different  eopies  of  the 
same  message  for  a  given  phase  or  an  ineomplete  log  T  in  a  An  honest  j  would  never  send 
sueh  messages.  Thus  c  /  ci. 

In  eaeh  of  the  remaining  eases,  the  log  veetors  T  in  the  ju-ke  were  verified  during  log  veriheation 
to  be  eomplete  and  eonsistent,  and  £i  is  augmented  with  all  messages  from  all  members  during 
Phases  1-5.  Thus  we  ean  assume  that  eaeh  message  ixk4>  sent  or  reeeived  by  j  during  these  phases 
appears  with  the  same  eontents  in  £i. 

Suppose  that  c  =  C2.  Then  it  must  be  the  ease  that  //ji  and  have  non-matehing  and 
/|ec  j  never  send  sueh  a  pair,  however.  Thus  c  /  C2. 

Suppose  that  c  =  C3.  Then  j  must  have  sent  an  empty  inner  key,  whieh  implies  that  j  observed 
either  a  GO^  =  FALSE  or  a  non-matehing  broadeast  hash  HASHjSfc}.  Therefore  the  Hki  do  not 
eontain  the  evidenee  needed  for  VERIFY-PROOF-S  to  validate  this  eheek.  Thus  c  /  C3. 

Suppose  that  0=04.  Then  either  j  sent  outer  keys  0^“^  and  that  do  not  mateh,  or  j 
ineorreetly  sent  an  empty  outer  private  key.  j  only  ever  sends  matehing  outer  keys,  and  so  the 
former  ease  eannot  apply.  If  j  sent  an  empty  outer  private  key,  it  must  have  been  the  ease  that, 
for  all  the  eontained  GO^  =  TRUE  and  HASH{.Bfc}  =  HASh{.Bj}.  Therefore  the  fiki  do  not 
eontain  the  evidenee  needed  for  VERIFY-PROOF-S  to  validate  this  eheek.  Thus  c  /  C4. 

Suppose  that  0=05.  Then  j  must  have  sent  an  invalid  key  in  An  honest  j  would  never 
send  an  invalid  key,  though,  and  thus  c  /  C5. 

Suppose  that  c  =  cg.  The  j  must  have  sent  an  invalid  eommitment  in  fj.j2a-  An  honest  j  would 
never  send  an  invalid  eommitment,  though,  and  thus  c  ^  ce- 

Suppose  that  c  =  C7.  Then  either  j’s  eommitment  opening  in  fj,j2b  does  not  mateh  the  eommit¬ 
ment  in  ^j2a,  or  the  value  from  the  opening  is  not  a  valid  eiphertext  or  identity,  j  always  sends  a 
matehing  eommitment  and  opening,  though,  and  j’s  eommitted  value  is  always  a  valid  eiphertext 
and  her  identity.  Thus  c  /  C7. 

Suppose  that  c  =  03.  Then  the  messages  in  must  not  be  a  permutation  and  deeryption  of 
the  messages  in  using  the  key  released  by  j.  However,  j  does  eorreetly  permute  and 

decrypt  during  Phase  3  and  only  ever  releases  the  correct  key  used  in  that  decryption.  Thus  c  /  03. 

Suppose  that  c  =  cg.  Then  j  must  send  a  value  Cj  into  the  Phase  3  shuffle  fhaf  resulfs  in 
an  invalid  cipherfexf  afler  some  sequence  of  decrypfions  by  fhe  oufer  privafe  keys  released  by  all 
members.  Those  privafe  keys  are  checked  fo  mafch  fhe  oufer  public  keys  received  by  j,  however,  and 
j  correcfly  forms  Cj  by  encrypfing  mj  wifh  fhe  inner  and  oufer  public  keys  in  sequence.  Therefore 
if  can  never  be  fhaf  Cj  resulfs  in  an  invalid  cipherfexf  affer  decrypfion  by  some  of  fhe  oufer  privafe 
keys,  and  c  7^  cg. 

Suppose  fhaf  c  =  ciq.  Then  if  musf  be  fhaf  for  some  cipherfexf  Ck,  k  /  j,  bofh  Ck  and  Cj 
yield  fhe  same  resulf  afler  some  number  of  sequential  decrypfions  by  fhe  oufer  privafe  keys.  As  we 
eslablished  above,  fhe  messages  in  Phases  1-5  of  C  senf  and  received  by  j  are  fhose  acfually  senf 
and  received  by  j  during  fhe  protocol  run.  Thus,  if  fhe  adversary  were  able  fo  produce  a  commifmenf 
to  a  value  fhaf  is  relafed  to  Cj  in  fhaf  some  sequenfial  decryptions  yield  fhe  same  resulf,  Ihen  we 
could  consfrucf  an  adversary  fhaf  violates  fhe  non-malleabilify  of  fhe  commifmenf  scheme  (Dolev, 


32 


Dwork,  and  Naor  2000).  Thus  c  /  cio- 

Suppose  that  c  =  cn.  Then  it  must  be  that  j  sent  GOj  =  FALSE  without  justifieation.  The 
justifieation  needed  would  be  reeeiving  an  invalid  publie  key  in  Phase  1,  reeeiving  an  invalid  eom- 
mitment  in  Phase  2a,  reeeiving  an  invalid  eommitment  opening  or  opening  an  invalid  eiphertext  or 
identity  in  Phase  2b,  produeing  invalid  or  duplieate  eiphertexts  during  Phase  3,  or  not  reeeiving  her 
own  inner  eiphertext  C'  at  the  end  of  Phase  3.  However,  eaeh  of  these  eonditions  is  true  in  ii  if 
it  was  true  during  the  run  from  j’s  perspeetive.  In  partieular,  the  inner  eiphertext  as  determined 
by  VERIFY-PROOF-S  must  be  the  inner  eiphertext  of  j  beeause  the  deeryption  keys  are  verified  to 
mateh  the  publie  keys  seen  by  j.  j  would  only  send  GOj  =  FALSE  if  one  of  these  eonditions  held, 
and  thus  c  /  cn. 

Suppose  that  c  =  Ci2.  Then  it  must  be  that  the  broadeast  hash  that  j  sent  in  Phase  4  does  not 
mateh  the  hash  of  all  broadeast  messages  up  to  that  point,  j  sends  the  eorreet  hash,  however,  and 
thus  C  /  Ci2. 

Therefore,  there  is  no  value  of  c  for  whieh  VERIFY-PROOE-S  eould  output  TRUE  given  £i,  exeept 
with  negligible  probability,  and  the  adversary  eannot  expose  an  honest  member.  □ 

Theorem  3.  The  GMP-SHUFELE  protocol  offers  accountability. 

Proof.  Following  Lemma  5  we  know  that  after  a  failed  run  of  GMP- SHUFFLE  for  an  honest  member 
i,  BLAMEj  is  non-empty.  Additionally,  every  proof  ineluded  in  BLAMEj  is  verifiable  given  a  log  £i, 
henee,  an  honesl  member  exposes  every  member  she  blames.  Following  Lemma  6  we  know  fhaf  an 
hones!  member  j  is  no!  exposed  affer  a  run  of  GMP- SHUFFLE,  exeepf  wifh  negligible  probabilify. 
Thus  fhe  GMP- SHUFFLE  profoeol  offers  aeeounfabilify.  □ 

5.4.2  The  GMP-Bulk  Protocol 


Lemma  7.  If,  after  a  complete  run  o/ GMP-BULK,  SUCCESSj  =  FALSE /or  an  honest  member  i, 
then  BLAMEj  is  non-empty,  and  every  proof  it  contains  is  verifiable  given  log  i^. 

Proof.  We  will  show  fhaf,  whenever  SUCCESSj  =  FALSE,  i  adds  a  proof  pj  fo  BLAME*,  and  every 
proof  if  adds  is  verifiable.  In  fael,  if  will  suffiee  fo  show  fhaf,  whenever  SUCCESS*  =  FALSE,  i  adds 
a  proof  Pj  fo  BLAME*,  beeause  we  firsl  prove  fhaf  any  sueh  pj  is  verifiable. 

In  VERIFY- PROOF-B,  proof  verifiealion  of  pj  (Step  1)  always  sueeeeds,  beeause  honesl  i  always 
ineludes  a  valid  eheek  number  and  member  idenfifier  in  pj.  Log  verifiealion  of  £*  (Slep  2)  always 
sueeeeds  beeause  fhe  profoeol  eompleles  by  assumplion,  and  i  adds  all  her  messages  fo  log  £*. 
Finally,  given  eomplele  log  £*,  fhe  properlies  of  fhaf  log  fhaf  musl  hold  for  fhe  proof  verifiealion 
deeision  (Slep  3)  fo  oulpul  TRUE  on  proof  pj  are  almosl  exaelly  fhe  same  properlies  fhaf  musl  hold 
for  honesl  i  lo  add  pj  lo  BLAME*.  In  fael,  VERIFY-PROOF-B  only  verifies  as  Irue  more  proofs  for  a 
given  log  lhan  would  be  erealed  by  i,  as  we  show  by  eonsidering  eaeh  eheek  separately: 

•  Pj  =  {ji  ci)‘  VERIFY-PROOF-B  omils  eheeking  for  {j,  cn)  G  BLAME®^  and  olherwise  makes 
Ihe  same  log  eheeks  lo  verify  pj  as  ANONYMIZE- B  does  during  blame  lo  produee  pj. 

•  Pj  =  (i)  ^2):  VERIFY-PROOF-B  and  ANONYMIZE-B  use  ihe  same  log  eheeks  for  Ibis  pj. 


33 


•  Pj  =  (i)  ^s)'  VERIFY-PROOF-B  adds  a  check  to  make  sure  that  the  descriptors  claimed  by  i 
are  those  received  by  j,  but  this  check  is  always  satisfied  by  the  log  of  an  honest  i.  All  other 
checks  are  the  same  for  this  pj. 

•  Pj  =  (j)  ^4)-  VERIFY- PROOF-B  omits  checking  that  the  blame  shuffle  succeeds  and  that  Vi 
contains  some  GO^  =  FALSE.  Otherwise,  it  is  the  same  as  ANONYMIZE-B  for  this  pj. 

•  Pj  =  (i)  ^5)-  VERIFY-PROOF-B  omits  checking  that  the  blame  shuffle  succeeds,  fhat  V  con¬ 
tains  some  GOfe  =  FALSE,  and  that  the  member  with  evidence  of  a  bad  key  gets  blamed  first. 
Otherwise,  it  the  same  as  ANONYMiZE-B  for  this  pj. 

•  Pj  =  (i)  VERIFY-PROOF-B  omits  checking  that  the  blame  shuffle  succeeds,  fhat  V  con¬ 
tains  some  GOfc  =  FALSE,  and  that  the  member  with  equivocation  evidence  gets  blamed  first. 
Otherwise,  it  the  same  as  ANONYMiZE-B  for  this  pj. 

Thus,  VERIFY-PROOF-B =  TRUE  for  every  Pj  G  BLAMEj. 

Therefore,  we  can  simply  show  that,  whenever  the  protocol  fails  for  i,  a  proof  is  added  to 
BLAMEj.  In  ANONYMIZE-B,  SUCCESSj  =  FALSE  upon  protocol  completion  only  in  the  following 
cases: 

1 .  The  blame  shuffle  fails. 

2.  The  blame  shuffle  succeeds  and  outputs  a  valid  accusation. 

3.  Some  contains  GOj  =  FALSE. 

We  consider  each  case  and  identify  a  proof  p  that  is  added  to  BLAME*  in  each  one. 

In  case  (1),  by  Lemma  5,  there  exists  a  verifiable  proof  (j,  c)  G  BLAME^^  given  If  c  =  cn 
and  evidence  of  ciphertext  equivocation  by  k  exists  in  thenp  =  {k,  ci).  Otherwise,  p  =  (j,  C2). 
In  case  (2),  p  =  {j,  C3).  In  case  (3),  p  =  (j,  C4)  if  pj^  contains  no  verifiable  proofs,  p  =  (/c,  C2)  if 
Pj4  has  a  verifiable  proof  of  fc’s  misbehavior  and  k  provides  no  justification  in  p^^,  and  p  =  {£,  C5) 
or  p  =  {£,  ce)  if  Pj4  has  a  verifiable  proof  of  fc’s  misbehavior  but  k  provide  evidence  against  £  in 
Pk3- 

Thus,  if  GMP-BULK  fails  for  i,  BLAME*  contains  a  verifiable  proof  given  £i  and  only  contains 
such  proofs.  □ 

Lemma  8.  An  honest  member  j  is  not  exposed  after  a  run  of  GMP-BULK,  except  with  negligible 
probability. 

Proof  Suppose  that  the  adversary  exposes  an  honest  member  j.  To  pass  the  proof  verification 
of  VERIFY-PROOF-B,  it  must  be  the  case  that  he  produces  a  proof  pj  =  (c,y).  To  pass  the  log 
verification,  it  must  be  the  case  the  log  £*  is  complete. 

Each  message  in  ANONYMiZE-B  identifies  the  sender  and  is  signed  by  that  sender.  By  the 
assumption  the  signature  scheme  is  EUF-CMA,  the  adversary  is  not  able  to  forge  a  signature  under 
any  honest  member’s  key,  except  with  negligible  probability,  and  therefore  any  message  signed  by  j 
in  £i  must  have  been  sent  by  j.  Furthermore,  each  message  identifies  the  round  and  phase  for  which 
that  message  was  sent.  An  honest  member  sends  at  most  one  message  during  each  phase  of  a  given 
round.  Therefore,  every  message  in  £*  from  j  must  have  actually  been  sent  during  that  round  and 
phase  by  j. 


34 


Given  these  faets,  we  ean  go  through  eaeh  possible  eheek  and  show  that  for  eaeh  one  the  needed 
log  evidenee  eannot  exist.  Whenever  we  refer  to  message  we  are  referring  to  the  message  that 
£i  indieates  was  sent  by  member  k  in  phase  cj). 

Suppose  that  c  =  ci.  Then  for  the  proof  to  verify,  ii  must  eontain  different  eopies  of  the  same 
message  for  Phase  4.  An  honest  j  always  sends  the  same  message  to  every  member  in  any  given 
phase  and  therefore  sueh  messages  do  not  exist.  Thus  c  /  ci. 

Suppose  that  c  =  C2.  Then  ANONYMIZE-S  must  have  failed  in  Phase  3  or  Phase  7. 

If  ANONYMiZE-S  failed  in  Phase  3,  then  for  the  proof  to  verify  member  j  must  have  not  dis¬ 
tributed  a  proof  of  another  member’s  bad  key  or  key  equivoeation,  and  there  must  be  a  verifiable 
Pj  G  BLAME^^  for  some  member  k.  However,  if  j  intentionally  eauses  a  failure,  then  she  always 
distributes  an  appropriate  proof  in  and  if  she  does  not,  then  by  Lemma  6  a  verifiable  proof 
blaming  j  eannot  be  produeed,  exeept  with  negligible  probability. 

If  ANONYMIZE-S  failed  for  i  in  Phase  7,  then  for  the  proof  to  verify  member  j  must  have 
not  distributed  a  proof  another’s  member  equivoeation  in  Phase  4,  and  pj  G  BLAME^^  must  be 
verifiable.  However,  if  j  eauses  a  failure  of  fhe  blame  shuffle,  fhen  she  always  disfribufes  a  proof  of 
equivoeation  in  pjj,  and  if  she  does  nof,  fhen  by  Lemma  6  a  verifiable  proof  blaming  j  eannof  be 
produeed,  exeepf  wifh  negligible  probabilify.  Thus  c  /  C2. 

Suppose  fhaf  0=03.  Then  j  musf  have  senf  an  ineorreef  or  empfy  eipherfexf  in  Phase  4. 

Observe  fhaf  fhe  hash  of  broadeasf  messages  in  ii  is  verified  fo  be  equal  fo  fhe  broadeasf  hash 
sen!  by  j,  and  fhus,  by  fhe  seeond-preimage  resisfanee  properly,  if  musf  be  fhaf  fhe  inner  publie 
keys  and  inner  eipherlexls  in  ii  are  fhe  same  as  Ihose  seen  by  j,  exeepf  wifh  negligible  probabilify. 
The  inner  privale  keys  are  verified  fo  maleh  Iheir  publie  keys,  and  fhus  fhe  deseripfors  eompufed  by 
VERIFY-PROOF-B  musf  maleh  Ihose  seen  by  j. 

An  honesl  j  would  only  send  a  non-emply  eipherfexf  if  fhe  pseudorandom  bils  from  ifs 
decrypled  seed  yield  fhe  eorreel  hash  value.  Given  fhaf  fhe  eompufed  deseripfors  maleh  Ihose  seen 
by  j  and  fhaf  only  one  seed  ean  enerypl  fo  a  given  eipherfexf,  fhe  aeeusalion  musf  nof  salisfy  fhe 
validily  eheeks  in  VERIFY-PROOF-B. 

If  j  sends  an  empty  eipherfexf  fhen  if  musf  be  fhaf  due  fo  a  problem  wifh  deseriplor 
fhaf  she  observed.  Thai  is,  if  musf  be  fhaf  Skj  is  nof  a  valid  eipherfexf,  Skj  is  nof  a  valid  seed, 
or  HASHlCfcj}  /  Hj^j.  If  any  of  fhe  above  deseriplor  problems  exisl,  fhen  beeause  fhe  deseripfors 
used  in  VERIFY- PROOF-B  musf  maleh  fhe  ones  seen  by  j,  fhe  aeeusalion  musf  nof  satisfy  fhe  validity 
eheeks  in  VERIFY-PROOF-B.  Thus  c  /  C3. 

Suppose  fhaf  c  =  C4.  Then  if  musf  be  fhaf  j  sen!  GOj  =  FALSE  in  wilhoul  juslifieafion.  The 
jusfifiealion  needed  eilher  would  be  evidenee  in  pj‘^  of  a  bad  key  or  key  equivoeation  in  Phase  la  or 
would  be  a  verifiable  proof  in  pj^  of  misbehavior  during  ANONYMIZE- S  in  Phase  3. 

If  j  sen!  GOj  =  FALSE  in  /ij4,  if  musf  have  been  fhaf  fhe  deseriplor  shuffle  failed  for  j.  If  j 
inlenlionally  eaused  Ibis  shuffle  fo  fail,  fhen  j  observed  bad  or  non-malehing  keys  and  dislribuled 
fhe  evidenee  in  pj^.  If  j  did  nof  inlenlionally  eause  shuffle  failure,  fhen  by  Lemma  5,  BLAME^^ 
eonlains  a  verifiable  proof  given  Thus  0/04. 

Suppose  fhaf  c  =  C5.  Then  j  musf  have  senf  an  invalid  key  in  pjia-  An  honesl  j  would  never 
send  an  invalid  key,  Ihough,  and  fhus  c  /  C5. 

Suppose  fhaf  c  =  cg.  Then  for  fhe  proof  fo  verify,  ii  musf  eonlain  differenl  eopies  of  fhe  same 
message  for  Phase  la.  However,  an  honesl  j  always  sends  fhe  same  message  fo  every  member  in 
any  given  phase.  Thus  c  /  cg. 

Therefore,  Ihere  is  no  value  of  c  for  whieh  VERIFY-PROOF-B  eould  oulpuf  TRUE  given  ty,  exeepf 


35 


with  negligible  probability,  and  the  adversary  eannot  expose  an  honest  member.  □ 

Theorem  4.  The  GMP-bulk  protocol  ojfers  accountability. 

Proof.  Following  Lemma  7  we  know  that  after  a  failed  run  of  GMP-BULK  for  an  honest  member  i, 
BLAMEj  is  non-empty.  Additionally,  every  proof  ineluded  in  BLAME*  is  verifiable  given  a  log  £*, 
henee,  an  honest  member  exposes  every  member  she  blames.  Following  Lemma  8  we  know  that 
an  honest  member  j  is  never  exposed  after  a  run  of  GMP-BULK,  exeept  with  negligible  probability. 
Thus  the  GMP-BULK  protoeol  offers  aeeountability.  □ 

5.5  Anonymity 

Definition  15,  A  protocol  maintains  anonymity  with  k  colluding  members  if  for  all  probabilistic 
polynomial-time  adversaries,  the  advantage  in  the  anonymity  game  with  any  k  dishonest  members 
is  negligible. 

Note  that  the  definition  will  only  make  sense  for  0  <  A:  <  A  —  2.  We  use  the  anonymity  game 
deseribed  by  Briekell  and  Shmatikov  (2006a).  The  anonymity  game  is  played  between  an  adversary 
A  and  a  ehallenger  C{h),  where  b  denotes  a  hidden  ehallenge  bit.  The  adversary  plays  the  roles  of 
k  dishonest  members,  while  the  ehallenger  plays  the  role  of  the  N  —  k  honest  members. 

The  anonymity  game  works  as  follows: 

1.  As  many  times  as  A  requests,  C{b)  takes  message  inputs  for  the  honest  members  from  A  and 
uses  them  to  exeeute  the  protoeol  with  A,  giving  him  a  eopy  of  every  message  sent. 

2.  A  ehooses  two  honest  partieipants  a  and  /3  and  two  message  inputs  mg  and  mf  He  also 
ehooses  message  inputs  m/*  for  eaeh  honest  member  h  and  sends  his  ehoiees  to  C{b). 

3.  C{b)  assigns  rria  =  m^  and  mp  =  m|. 

4.  A  and  C{b)  exeeute  the  protoeol,  during  whieh  C{b)  gives  A  a  eopy  of  every  message  sent. 

5.  As  many  times  as  A  requests,  C{b)  takes  message  inputs  for  the  honest  members  and  uses 
them  to  exeeute  the  protoeol  with  A,  giving  him  a  eopy  of  every  message  sent. 

6.  The  adversary  outputs  a  guess  6  G  {0, 1}  for  the  value  of  b. 

The  adversary’s  advantage  in  the  anonymity  game  is  equal  to 

Pr  =  1  -Pr  =  1  , 

where  the  probability  is  taken  over  the  randomness  of  both  the  adversary  and  of  the  ehallenger. 

5.5.1  The  GMP-Shuffle  Protocol 

We  eonsider  the  anonymity  game  running  GMP-SHUFFLE  and  show  that  the  adversary’s  advantage 
in  winning  this  game  is  negligible. 

We  begin  by  using  any  adversary  A  to  eonstruet  Game  0,  in  whieh  a  new  ehallenger  ran¬ 
domly  guesses  whether  a  given  honest  user  will  release  her  outer  private  key  during  the  final  phases 


36 


of  the  protocol.  When  guesses  correctly,  he  behaves  exactly  as  C  would  in  the  anonymity  game 
and  the  game  ends  with  the  output  of  A.  When  guesses  incorrectly,  the  game  output  is  a  random 
bit.  guesses  independently  of  A,  and  so  we  will  be  able  to  show  that  the  game  output’s  advantage 
in  Game  0  is  1/2  the  advantage  of  A  in  the  anonymity  game. 

Then  we  define  Game  1,  in  which  a  further  modified  challenger  creafes  fhe  inner  or  outer 
cipherfexls  of  a  by  sfarfing  wifh  a  plainfexf  unrelafed  fo  fhe  challenge  message  m;,.  We  will  be 
able  fo  show  fhaf  advanfage  in  Game  1  is  negligibly  close  fo  fhe  advanfage  in  Game  0  by  showing 
how  a  non-negligible  change  in  advanfage  would  allow  us  fo  distinguish  encrypfed  messages  wifh 
non-negligible  probabilify. 

Finally,  we  define  Game  2  by  creafing  a  challenger  from  in  fhe  same  way  fhaf  was 
creafed  from  C^,  excepf  replacing  a  by  /3  and  rrib  wifh  mg  in  fhe  changes.  We  can  show  fhaf  fhe 
advanfage  changes  negligibly  from  Game  1  fo  Game  2  using  a  similar  argumenf  as  used  from  Game 
0  fo  Game  1 .  If  will  be  fhe  case  fhaf  fhe  advanfage  in  Game  2  musf  be  0  because  fhe  adversary  sees 
fhe  same  disfribufion  of  messages  from  fhe  challenger  regardless  of  fhe  challenge  bif. 

Lef  /ii,  /i2, . . . ,  h]\f-k  be  fhe  hones!  users  in  fhe  order  fhey  appear  in  fhe  shuffle.  Lef  Z*  indicate 
fhaf  fhe  challenger  C*  guesses  fhaf  hi  should  release  her  outer  privafe  key  af  some  poinf  as  par! 
of  ANONYMIZE-S,  lef  G*  be  a  “game  oufpuf”  for  Game  i,  and  lef  F*  indicate  whefher  or  nol  fhe 
challenger  failed  in  Game  i.  In  fhe  games  and  fheir  associated  random  variables,  fhe  challenge  bif  b 
is  a  hidden  inpuf  fhaf  we  generally  omit. 

Game  0:  In  this  game,  A  interacts  with  a  challenger  that  sometimes  fails.  sets  G 
{0,1}  uniformly  at  random.  behaves  the  same  as  C  except  in  the  following  cases  of  the  challenge 
shuffle,  when  his  guess  abouf  which  keys  will  be  released  proves  fo  be  incorrecf: 

1.  In  Phase  3  (Anonymization),  =  0  and  fhe  partial  decrypfions  of  fhe  outer  cipherfexls  Ca 
and  Cjs  wifh  keys  . . . ,  do  nol  appear  exaclly  once  each  in  fhe  cipherlexl  veclor 

Chi-i  senl  fo  hi.  can  check  Ibis  by  comparing  fo  fhe  partial  cipherfexls  creafed  during 
Phase  2a. 

2.  In  Phase  4  (Verification),  Z^  =  0  and  eilher  of  fhe  inner  cipherfexls  and  is  missing 

eilher  from  fhe  copy  of  veclor  Cjy  senl  fo  a  or  from  fhe  copy  senl  fo  /?.  Again,  can  notice 

Ibis  by  comparing  fo  inner  cipherfexls  creafed  during  Phase  2a. 

3.  In  Phase  5  (Key  Release  and  Decryplion),  Z^  =  1  and  member  hi  receives  GOj  =  TRUE  and 
HASH{.Bj}  =  HASH{.Bftj}  for  every  member  j  /  hi,  and  =  TRUE. 

4.  In  Phase  6  (Blame),  Z^  =  0  and  i)  GOhi  =  FALSE,  ii)  hi  received  GOj  =  FALSE  from  any 
member  j,  or  Hi)  hi  received  HASH{.Bj}  /  HASh{.B/jj  }  from  any  member  j. 

In  each  of  Ihese  cases,  =  1,C^  lerminales,  and  fhe  game  oufpuf  is  sel  fo  a  uniformly  random 
bif.  In  every  olher  case,  =  0,  correclly  executes  ANONYMiZE-S  on  behalf  of  fhe  honesl 
users,  and  is  sef  fo  fhe  oufpuf  bif  of  A. 

Game  1:  In  Ibis  game,  we  furlher  modify  fhe  challenger  fo  define  C^,  which  replaces  wifh 
unrelafed  cipherfexls  fhe  intermediate  slages  of  fhe  conslrucfion  of  fhe  inner  or  ouler  cipherlexl  of 
a,  depending  on  Z^.  Thai  is,  G^  behaves  fhe  same  as  G^,  excepf 

1 .  In  Phase  2a, 


37 


Case  1:  =  0.  A  partially  encrypted  outer  ciphertext  for  a  is  created  and  stored  as  C"  = 

j-pub  rpub^  ^pub  ^pub  ^  and  the  outer  ciphertext  is  then  created  as  Cq  =  {C'^}  ^pub  ^pub . 

'^1  -^hi 

Also  create  C'  =  {mb}  jpub  _  jpub  for  later  use.  The  public  keys  used  for  each  ciphertext  of  a 
Jjv  -^1 

are  those  received  by  a  in  Phase  1 . 

Case  2:  =  1.  The  inner  ciphertext  for  a  is  created  and  stored  as  C'  =  {a}  .pub  .pub,  and 

Jjv  -^1 

the  outer  ciphertext  Ca  is  created  from  in  the  same  way  as  C^.  Again,  the  public  keys 
used  for  each  ciphertext  of  a  are  those  received  by  a  in  Phase  1 . 

The  rest  of  the  phase  is  executed  in  the  same  way  as  C^. 

2.  In  Phase  3,  if  Z^  =  0  and  both  the  stored  ciphertext  and  the  partial  decryption  of 
by  . . . ,  (which  knows  because  it  created  C^)  appear  exactly  once  each  in  the 
vector  of  ciphertexts  Chi-i  sent  to  hi,  then  replace  C"  with  {C^}  ^pub  _^pub  for  inclusion  in 

the  vector  (7/^  sent  to  hi  +  1,  where  the  encryption  uses  the  outer  keys  sent  to  a. 

In  every  other  way,  executes  in  the  same  way  as  C^. 

Game  2:  This  game  is  created  from  Game  1  using  the  same  changes  given  in  its  definition, 
except  replacing  a  with  /3  and  mb  with  mg  everywhere. 

The  following  lemma  shows  that  Game  0  is  a  relevant  starting  point  because  its  output’s  advan¬ 
tage  is  1/2  the  advantage  of  A  in  the  anonymity  game: 

Lemma  9. 

A(G°)  =  ^  Pr  =  1  -Pr  A^^^^  =  1  , 

where  the  probability  is  taken  over  the  randomness  of  both  the  adversary  and  the  challenger. 

Proof.  Let  Ta^  be  the  set  of  all  possible  game  transcripts,  that  is,  sequences  of  messages,  between 
A  and  C.  Let  ^70  be  the  set  of  transcripts  between  A  and  C^.  We  claim  that  each  member  of 
Ta,c  and  Ta  co  falls  into  exactly  one  of  following  cases,  which  are  nearly  the  same  as  the  failure 
cases  defining  Game  0: 

1.  In  Phase  3,  fhe  expecfed  cipherfexls  of  a  and  /3  are  nol  sen!  fo  hi  exacfly  once  each. 

2.  Case  1  does  nol  occur,  and  in  Phase  4,  eilher  of  fhe  inner  cipherfexls  C'^  and  C'^  is  missing 
from  eilher  fhe  copy  of  vector  Cn  senl  lo  a  or  fhe  copy  senl  to  /?. 

3.  Al  fhe  slarl  of  Phase  5,  =  TRUE,  and  hi  receives  from  every  member  j  GOj  =  TRUE 

and  HASH{.Bj}  =  HASH{.Bftj}. 

4.  Case  1  does  nol  occur.  Case  2  does  nol  occur,  and  al  Ihe  slarl  of  Phase  6  /)  GOhi  =  FALSE, 
ii)  hi  received  GOj  =  FALSE  from  some  member  j,  or  in)  HASH{i?j}  /  HASH{i?/ij}  from 
some  member  j. 

Cases  1,  2,  and  4  are  mulually  exclusive  evenls  because  Ihe  latter  of  Ihese  cases  are  explicilly  defined 
to  occur  only  when  Ihe  previous  do  nol.  Case  3  is  disjoinl  from  Ihe  olher  Ihree  cases  because  each 
of  Ihem  eilher  resulls  in  termination  before  Phase  5  or  results  in  GOh  =  FALSE  sent  in  Phase  5  from 
an  honest  node  h.  One  of  these  cases  always  occurs  because  one  of  the  following  is  true  of  the 
execution: 


38 


1.  The  challenger  fails,  which  as  mentioned  above  only  happens  in  one  of  these  cases. 

2.  After  Phase  4,  GO/^  =  FALSE  or  hi  received  from  some  member  j  GOj  =  FALSE  or 
HASH{.Bj}  /  HASh{.B/jj  },  which  implies  that  one  of  Cases  1,  2,  or  4  above  occurred. 

3.  After  Phase  4,  GOhi  =  TRUE  and  hi  received  from  every  member  j  GOj  =  TRUE  and 
HASH{i?j}  =  HASH{i?/ij},  which  implies  that  Case  3  above  occurred. 

Now  consider  members  of  Ta,c  that  fall  in  Case  1  above.  sends  messages  according  to  the 
same  distribution  as  C  up  to  the  Phase  3  message  to  hi.  Whether  or  not  Case  1  also  applies  to 
a  transcript  in  co  is  determined  by  the  messages  up  to  this  point.  Thus  the  probability  that 
Case  1  applies  to  a  transcript  in  is  the  same  as  for  a  transcript  in  Ta^c-  Moreover, 

is  independent  of  these  messages,  and  thus  fails  under  the  first  failure  case  of  Game  0  with 
probability  1/2  among  those  Ta  qo  transcripts  in  Case  1.  Among  those  same  transcripts  where 
does  not  fail  under  the  first  failure  case,  must  be  1  and  GOh^  =  FALSE  if  Phase  4  is  reached, 
so  the  other  failure  cases  of  Game  0  don’t  apply  and  behaves  the  same  as  C  throughout  the 
transcript.  Therefore,  the  distribution  of  Ta  qo  transcripts  in  Case  1  given  that  =  0  is  the  same 
as  the  distribution  of  Ta^c  transcripts  in  Case  1. 

Next  consider  those  Ta,c  transcripts  not  in  Case  1.  Because  Case  1  does  not  apply,  C  and 
behave  the  same  up  through  Phase  3.  Whether  or  not  Case  2  applies  is  determined  by  the  end  of 
Phase  3.  Thus  the  probability  that  Case  2  applies  to  a  Ta  qo  transcript  is  the  same  as  for  a  TAfi 
transcript.  Z^  is  again  independent  of  all  partial  Ta  co  transcripts  in  Case  2  up  through  Phase  3. 
Thus,  fails  under  the  second  Game  0  failure  case  in  transcripts  in  this  case  with  probability 
1/2.  Moreover,  when  does  not  fail  under  the  second  failure  case  but  the  transcript  is  in  Case  2, 

=  1  and  either  GOh  =  FALSE  for  one  of  h  G  {a,  /?}  or  the  hashes  of  the  broadcast  vectors  of 
a  and  j3  don’t  match.  Thus,  the  other  failure  cases  of  Game  0  don’t  apply,  and  so  behaves  the 
same  as  C  throughout  the  transcript.  Therefore,  the  distribution  of  Ta^c'^  transcripts  in  Case  2  given 
that  F  =  0  is  the  same  as  the  distribution  of  Ta,c  transcripts  in  Case  2. 

Next  consider  those  Ta^c  transcripts  not  in  either  Case  1  or  Case  2.  Because  Case  1  and  Case 
2  don’t  apply,  C  and  behave  the  same  up  through  Phase  4.  Whether  or  not  Case  3  applies  is 
determined  by  the  end  of  Phase  4.  Thus  the  probability  that  Case  3  applies  to  a  Ta  co  transcript  is  the 
same  as  for  a  Ta^c  transcript.  Z^  is  again  independent  of  all  partial  Ta  co  transcripts  in  Case  3  up 
through  Phase  4.  Thus,  fails  under  the  third  failure  case  in  transcripts  in  this  case  with  probability 
1/2.  Moreover,  when  does  not  fail  under  the  third  failure  case  but  the  transcript  is  in  Case  3, 
Z^  =  0,  GO/i^  =  TRUE,  hi  receives  GOj  =  TRUE  from  all  j,  and  HASH{.Bj}  =  HASHjF/jj}  for  all 
j.  Thus,  the  fourth  failure  case  of  Game  0  does  not  apply.  The  first  two  failure  cases  can’t  apply  to 
any  transcript  in  Case  3,  and  so  behaves  the  same  as  C  throughout  the  transcript.  Therefore,  the 
distribution  of  Ta^c°  transcripts  in  Case  3  given  that  =  0  is  the  same  as  the  distribution  of  Ta^ 
transcripts  in  Case  3. 

Finally,  consider  those  Ta^c  transcripts  not  in  Case  1,  Case  2,  or  Case  3.  Because  Cases  1-3 
don’t  apply,  C  and  behave  the  same  up  through  Phase  5.  Whether  or  not  Case  4  applies  is 
determined  by  the  end  of  Phase  5.  Thus  the  probability  that  Case  4  applies  to  a  Ta  transcript  is 
the  same  as  for  a  TAfi  transcript.  Z^  is  again  independent  of  all  partial  Ta  transcripts  in  Case 
4  up  through  Phase  5.  Thus,  fails  under  the  fourth  failure  case  in  transcripts  in  this  case  with 
probability  1/2.  Moreover,  the  other  failure  cases  don’t  apply  to  transcripts  in  Case  4,  and  so,  when 
Case  4  applies  but  does  not  fail,  behaves  the  same  as  C  throughout  the  transcript.  Therefore, 


39 


the  distribution  of  qo  transcripts  in  Case  4  given  that  =  0  is  the  same  as  the  distribution  of 
Ta,c  transcripts  in  Case  4. 

Thus,  because  =  0  with  probability  1/2  for  each  of  the  above  cases,  =  0  with  probability 
1  /2  overall.  In  addition,  because  the  distribution  of  transcripts  in  each  of  the  above  cases 
conditional  on  =  0  is  the  same  as  the  distribution  of  Ta^c  transcripts  in  the  same  cases,  and  the 
probability  of  each  case  is  the  same  between  Ta,c  and  Ca  c^,  the  conditional  distribution  of  qo 
given  =  0  is  the  same  as  the  distribution  of  Ta,c-  The  game  output  G^{h)  is  if  =  0 

and  is  a  uniformly  random  bit  if  =  1.  Therefore, 

Pr[G°{b)  =  1]  =  Fr[F°  =  0]Fr[G°(6)  =  1|F°  =  0]  +  Fr[F°  =  l]Fr[G°(6)  =  1|F°  =  1] 

=  If, ■[aC(‘.  =  11  +  1.1, 

which  proves  the  lemma.  □ 

The  next  lemma  shows  that  changing  the  ciphertexts  between  Game  0  and  Game  1  can  only 
change  the  advantage  of  the  game  output  by  a  negligible  amount. 

Lemma  10.  |  A(G^)  —  A(G°)|  is  negligible. 

Proof.  We  prove  the  lemma  by  constructing  a  distinguisher  D{b)  that  has  a  non-negligible  advan¬ 
tage  in  the  distinguishing  game  if  |Fr[G^(6)  =  1]  —  Pr[G^{b)  =  1]|  is  non-negligible.  Let  6^)  be 
the  challenge  bit  in  the  distinguishing  game.  D  interacts  with  the  distinguishing-game  challenger 
Gnibn)  and  A  to  execute  either  Game  0  or  Game  1,  depending  on  bo,  as  follows: 

1 .  D  simulates  the  challenger  of  the  anonymity  game  G (6)  exactly  up  to  Phase  1  of  the  challenge 
shuffle.  Let  Z  denote  the  random  guess  about  later  key  releases  that  D  makes  as  part  of  the 
simulation. 

2.  For  Phase  1,  D  generates  encryption  key  pairs  and  1  <  i  <  N  —  k. 

D  obtains  the  public  encryption  key  from  Gd  and  generates  the  encryption  key  pair 
(FTf  ^  Then, 

Case  P.  Z  =  0.  D  sets 

Qpnb  ^ 

Case  2:  Z  =  1.  D  sets 

ipub  ^  J^pub 

Then  D  broadcasts  these  public  keys  from  the  honest  members  as  described  in  the  protocol. 

3.  For  Phase  2a, 

Case  P.  Z  =  0.  D  sets  G'  =  {mb}  j-pub  rpub  ^  —  \^Cy\  and 

•-'l  -^hi+l 

m'l  =  {{a}  jpub  _  jpub  }  ^pub  _^pub  ,  using  the  encryption  keys  of  a.  D  submits  (mg,  mf)  to  Gd, 


40 


and  receives  as  a  response.  D  sets  C"  =  c;,^ .  D  then  finishes  the  phase  as  would 
starting  after  it  creates  C”  in  Case  1. 

Case  2:  Z  =  1.  D  sets  ttIq  =  {rrib}  jpub  _  jpub  and  m'^  =  {a}  jpuh  jpub  .  D  submits  {mQ,m\) 

-'iv  '-^hi+l  ■-'hi+1 

to  Cd  and  receives  as  a  response.  D  sets  C'^  =  {cb^}  jpub  rpub  .  All  encryption  is  done 

—  1  1 

using  the  keys  received  by  a.  D  then  finishes  fhe  phase  as  would  sfarfing  afler  if  creafes 
C'^  in  Case  2. 


4.  Phase  2b  is  executed  as  described  in  fhe  protocol. 

5.  For  Phase  3,  D  firsl  receives  a  cipherfexf  vector  of  Chi-i  intended  for  hi.  Then 

Case  1:  Z  =  0,  and  bofh  C'^  and  fhe  partial  decryption  of  Cp  by  . . .  ,/bi-i  (which 
D  can  check  because  fhaf  cipherfexf  was  consfrucfed  by  D  alone)  appear  in  Cbi-i  exacfly 
once.  Then  D  replaces  C"  wifh  mg,  decrypfs  fhe  remaining  cipherfexls  using  Cd,  shuffles 
fhe  vecfor,  and  sefs  to  the  result.  D  then  finishes  the  phase  as  described  in  the  protocol 
starting  with  sending  Chi  *^0  member  hi +  1. 

Case  2\  Z  =  Q,  and  C"  or  the  partial  decryption  of  does  not  appear  in  Chi-i  exactly 
once.  In  this  case,  D  terminates  the  simulation  and  sets  G  G  {0, 1}  uniformly  at  random. 

Case  3:  Z  =  1.  D  has  the  private  outer  keys  for  all  honest  members,  and  therefore  can 
execute  this  phase  just  as  would. 

D  executes  this  phase  for  other  honest  members  hi,  f  >  1,  as  described  in  the  protocol. 

6.  D  executes  Phase  4  as  would,  which  is  possible  because  this  phase  uses  no  private  keys. 
If  terminates,  D  terminates  the  simulation  and  sets  G  G  {0, 1}  uniformly  at  random. 

7.  D  executes  Phase  5  as  would.  This  is  possible  because  if  Z  =  Q  D  has  the  inner  private 
keys  and  if  Z  =  1  fails  if  inner  private  keys  are  required.  If  fails,  D  terminates  the 
simulation  and  sets  G  G  {0, 1}  uniformly  at  random. 

8.  D  executes  Phase  6  as  G^  would.  This  is  possible  because  if  Z  =  0  G^  fails  if  outer  keys  are 
required  and  if  Z  =  1  77  has  the  outer  private  keys.  If  G^  fails,  D  terminates  the  simulation 
and  sets  G  G  {0, 1}  uniformly  at  random. 


9.  As  many  times  as  requested,  D  takes  messages  for  the  honest  members  and  executes  the 
shuffle  protocol  wifh  A. 

10.  If  fhe  simulafion  did  nol  ferminafe  premafurely,  lef  6^  be  fhe  guess  oufpuf  by  A  and  sef 
G  =  6a-  D  oufpufs  ifs  guess  in  fhe  distinguishing  game  asbo  =  G. 

We  claim  fhaf  D  simulafes  G^^  wifh  A,  fhaf  is,  fhaf  D  effectively  execufes  Game  0  or  Game  1, 
depending  on  bn-  Thai  D  correcfly  simulafes  all  sfeps  of  fhe  anonymity  game  excepf  fhe  challenge 
shuffle  (i.e.  Steps  6,  and  7)  follows  because  if  is  defined  as  doing  so,  and  fhese  sfeps  are  fhe 
same  for  C^  and  G^.  To  show  fhaf  fhe  challenge  shuffle  (Sfep  5)  is  simulated  correcfly,  we  show 
fhaf  for  each  phase,  D  simulates  G^^ : 


•  Phase  1:  Allhough  one  public  key  is  defermined  by  fhe  challenger  Cd,  the  end  result  is  that 
D  broadcasts  inner  and  outer  public  keys  for  honest  members  that  are  generated  using  the 
cryptosystem’s  key  generation  algorithm,  just  as  both  G°  and  G^  do. 


41 


Phase  2a: 


Case  1:  bn  =  0.  The  result  of  using  the  response  from  Cd  io  eonstruet  Ca  is  that  a  eommits 

to  {{mb}  jpub  _  rpub  }  ^pub  _^pub  5  where  the  keys  used  are  those  reeeived  by  a,  just  as  in  C^.  The 
Jjv  -^1  •'^1 

other  honest  members  behave  as  they  do  in  by  definition,  whieh  is  the  same  as  in  C^. 

Case  2:  bo  =  1-  The  result  of  using  the  response  from  Cd  is  that  a  eommits  to 
{  {  tP'^^  .  }  ^pub  _^pub  5  where  the  keys  used  are  those  reeeived  by  a,  just  as  in  C^.  The  other 

honest  members  behave  as  they  do  in  by  definition. 

•  Phase  2b:  D,  C^,  and  all  exeeute  this  phase  as  deseribed  in  the  protoeol. 


•  Phase  3: 

Case  1:  Z  =  0  and  both  C"  and  the  partial  deeryption  of  Cj^  by  . . . 
exaetly  onee.  For  hi,  D  replaees  C"  with  m-Q  =  {{mb}  rpub^pub} 


,  Phi’Ll  appear  in 
^pub  ^^pub  when 


eonstrueting  Chi,  •^he  other  eiphertexts  are  simply  deerypted  .  This  is  just  as  both  and 
would  have  done.  For  the  other  honest  members,  D  exeeutes  them  as  deseribed  in  the 
protoeol,  just  as  and  would  do. 

Case  2:  Z  =  0  and  either  C"  or  the  partial  deeryption  of  C/j  by  . . . ,  If^^_i  does  not 
appear  in  Chi-i  exaetly  onee.  D  terminates  the  game,  just  as  both  and  would  do. 
Case  3:  Z  =  1.  D  exeeutes  just  as  would  by  definition,  whieh  is  the  same  as  C^. 


•  Phases  4-6:  D  exeeutes  these  phases  just  as  would  by  definition,  whieh  is  the  same  as  C^. 


Thus  D  eorreetly  simulates  for  A.  Moreover,  observe  that  when  does  not  prematurely 
terminate,  then  D  uses  the  output  bA  of  A  for  the  game  output  G,  and  when  does  terminate, 
then  D  randomly  sets  G  G  {0, 1}.  This  is  exaetly  how  G^^  is  set.  Therefore,  the  advantage  of  D  in 
the  distinguishing  game  is 


Pr 


bo  =  1|&D  =  1 


—  Pr 


bn  =  1|&D  =  0 


=  \Pr[G  =  l\bD  =  1]  -  Pr[G  =  1|6d  = 
=  \Pr  [G^  =  1]  -  Pr  [G°  =  l]  |  . 


Therefore,  beeause  we  assume  that  the  eryptosystem  is  IND-CCA2,  Pr[G^  =  1]  —  Pr[G°  =  1] 
must  be  negligible.  This  implies  the  lemma.  □ 


Game  1  is  modified  fo  ereafe  Game  2  by  replaeing  some  eipherfexfs  of  j3  jusf  as  Game  0  was 
modified  fo  ereafe  Game  1  by  replaeing  eipherfexls  of  a.  Thus  for  similar  reasons  as  before,  if  holds 
fhaf  fhaf  fhe  advanfage  of  fhe  game  oufpuf  ehanges  by  a  negligible  amounf  from  Game  1  fo  Game  2. 

Lemma  11.  |  A(G^)  —  A(G^)|  is  negligible. 

Proof.  The  proof  is  exaefly  fhe  same  as  fhe  proof  for  Lemma  10  exeepf  for  fhe  following  ehanges: 

1.  Everywhere  a  is  replaeed  by  (3,  [3  is  replaeed  by  a,  and  m^  is  replaeed  by  m|. 

2.  The  simulafion  elaim  is  fhaf  D  simulafes  for  A,  rafher  fhan  .  Thus  fhe  resulting 

exeeufion  is  idenfieal  fo  eifher  Game  2  or  Game  1,  rafher  fhan  Game  1  or  Game  0,  and  fhe 
oufpuf  G  is  has  fhe  same  disfribufion  as  rafher  fhan  G^^. 


42 


□ 


We  now  show  that  when  Game  2  does  not  fail,  the  adversary  has  the  same  view  whether  tuq 
belongs  to  a  or  /3  and  therefore  has  no  advantage  in  the  output  of  Game  2.  In  doing  so  we  view  the 
ehallenger  as  invoking  a  subroutine  C"^  that  just  exeeutes  the  ehallenge  shuffle  of  the  anonymity 
game.  This  view  allows  our  results  to  be  reused  when  proving  the  anonymity  of  the  bulk  protoeol, 
whieh  ealls  the  shuffle  as  a  subprotoeol. 

Speeifieally,  we  eonsider  the  simulation  by  of  ANONYMIZE-S  during  the  ehallenge  run  of 
the  shuffle  protoeol  as  an  invoeation  of  C'^.  The  inputs  from  to  C"^  are  the  ehallenge  bit  b, 
the  ehallenge  members  a  and  j3,  the  ehallenge  messages  ttiq  and  mf,  the  honest  non-ehallenge 
messages  {mfi}h&H\{a,i3}’  the  round  number  hr,  the  signing  keys  K,  the  member  ordering  r,  and 
fail  flags  {fh  =  FALSEj/ig//.  Let  /  be  a  veetor  all  of  these  inputs  exeept  b.  Let  the  output  of  honest 
members  from  the  ehallenge  shuffle  be  O  =  {Ohi ,  ■  ■  ■ ,  where  Oh-  is  the  output  of  hi. 

fails  if  and  only  if  fails.  Let  F'^  indieate  that  fails.  Let  M  be  the  transeript  of  messages 
between  C"^  and  A  during  the  ehallenge  shuffle.  When  =  1,  O  and  M  are  defined  to  take  a 
eonstant  failure  value. 

The  following  lemma  shows  that  ehanging  the  ehallenge  bit  b  does  not  ehange  the  joint  proba¬ 
bility  of  ehallenger  failure,  shuffle  messages,  and  honest  members’  shuffle  outputs: 

Lemma  12. 


Pr[M  =  m  f\0  =  o  f\  F'"^  =  f\I  =  i  A  6  =  0]  =  Pr[M  =  m  f\0  =  o  f\  F'"^  =  f\I  =  i  A  6  =  1]. 


Proof.  We  eonsider  the  messages  sent  in  eaeh  phase  as  well  as  the  final  output  and  show  that  they 
do  not  depend  on  b.  In  order  to  do  this,  we  also  traek  some  of  the  internal  variables  and  show  that 
they  are  updated  the  same  way  regardless  of  b. 

•  Phase  1: 


-  sets  guess  independently  of  b. 

-  Each  honest  member  h  generates  inner  and  outer  keypairs  and 

independently  of  b. 

-  The  message  ^hi  =  ur,  1,  sent  by  each  honest  member  h  G  H  is 

independent  of  b  by  the  above. 

-  The  messages  to  h  from  other  honest  members  are  shown  above  to  be  independent  of  b. 

-  The  messages  to  h  from  A  are  independent  of  b  because  A  uses  the  outputs  of  SETUP-S 
as  well  as  the  messages  from  honest  users  to  generate  its  messages,  both  of  which  are 
shown  above  to  be  independent  of  b. 

-  GOh  is  set  to  FALSE  if  h  receives  invalid  public  keys.  Thus  by  the  above  GOh  is  inde¬ 
pendent  of  b. 

•  Phase  2a:  This  phase  depends  on  Z^,  which  has  been  shown  to  be  independent  of  b. 


—  Case  P.  Z^  =  0. 


* 


The  partially  decrypted  outer  ciphertexts  = 
do  not  depend  on  b  by  the  above. 


'f'f/Z'T  jpub  Tpub\ ^pub  _  ^pub  ^  h  G  {a,  (3} 
-^1  '-'n 


43 


*  The  outer  eiphertexts  Ch  =  {C'i^}Qpub  .^pub,  h  G  {a,  /?},  do  not  depend  on  b  by 
the  above. 

*  The  inner  eiphertexts  =  {dh}  jpub _  jpub^  h  G  H\{a,  /?},  do  not  depend  on  b  by 
the  above. 

*  The  outer  eiphertexts  Ch  =  {C'C^pub  „puh,  h  G  H\{a,  /?},  do  not  depend  on  b  by 
the  above. 

*  Note  that  the  inner  eiphertext  C'^  =  {mb}  j-pub  _  j-pub  does  depend  on  h  (and  similarly 

'-^1 

for  C^). 

-  Case  2:  =  1. 


*  The  inner  eiphertexts  C}  =  {h}  jpub  jpub  ,  h  G  {a,  /?},  do  not  depend  on  b  by  the 

'^1 

above. 

*  The  inner  eiphertexts  =  {dh}  rpub  _  jpub^  h  G  H\{a,  /?},  do  not  depend  on  b  by 

■'jv  ■-'i 

the  above. 

*  The  outer  eiphertexts  Ch  =  {C{}  0pub  _0pub  5  /i  G  Tf,  do  not  depend  on  b  by  the 
above. 


-  The  eommitments  Xh  =  COMMIt{C/i,  h},  h  ^  H,  do  not  depend  on  b  beeause  h  does 
not  and  Ch  does  not  by  the  above. 

-  The  message  ph2a  =  {Xh,  ur,  2a,  h}siGu,^  sent  by  eaeh  h  G  H  does  not  depend  on  b 
by  the  above. 

-  The  additional  inputs  to  A  sinee  his  last  output  are  messages  iJ.h2a,  h  G  H,  shown 
above  to  be  independent  of  b.  Thus  the  messages  /ii2a,  i  G  D,  reeeived  by  /i  G  Tf  are 
independent  of  b. 

-  The  messages  Hh2a,  h  £  H,  reeeived  by  h'  £  H  are  shown  above  to  be  independent  of 
b. 


-  GOh  is  set  to  FALSE  if  h  reeeives  an  invalid  eommitment,  h  £  H.  Thus  GOh  still  does 
not  depend  on  b  by  the  above. 


•  Phase  2b: 


-  The  message  fih2b  =  {OPEN{2f/i},  n/j,  2b, sent  by  eaeh  h  £  H  does  not 
depend  on  b  by  the  above. 

-  The  additional  inputs  to  A  sinee  his  last  output  are  messages  fih2b,  h  £  H,  shown 
above  to  be  independent  of  b.  Thus  the  messages  i  £  D,  reeeived  by  h  G  Tf  are 
independent  of  b. 

-  The  messages  iXh2b,  h  £  H,  reeeived  by  h'  £  H  are  shown  above  to  be  independent  of 
b. 

-  GOh  is  set  to  FALSE  if  h  reeeives  an  invalid  opening  or  an  opening  to  an  invalid  eipher¬ 
text,  h  £  H.  Thus  GOh  still  does  not  depend  on  b  by  the  above. 

•  Phase  3: 


44 


-  Whether  C'^  fails  depends  on  Z^,  on  the  partially  deerypted  eiphertexts  C"  and  C'^,  and 
on  the  eiphertexts  hi  reeeives  during  the  shuffle.  C”,  and  are  shown  above  to 
be  independent  of  b.  If  hi  =  1,  then  the  reeeived  eiphertexts  are  in  the  openings  of  the 
message  eommittments  from  the  previous  phases.  These  are  shown  above  not  to  depend 
on  b.  If  hi  >  1,  then  these  eiphertexts  are  from  the  adversary  in  this  phase,  and  sinee  his 
last  output,  the  adversary  has  only  reeeived  as  additional  input  messages  from  honest 
users  that  are  independent  of  b,  as  shown  above.  Thus  the  outputs  of  A  eontinue  to  be 
independent  of  b.  In  either  ease,  therefore,  the  probability  that  C"^  fails  is  independent 
of  b. 

-  h  ^  H  ehooses  a  permutation  tt^  to  apply  to  the  elements  of  the  eiphertext  veetor  it 
reeeives  in  this  phase,  tt^  is  ehosen  independently  of  b. 

-  The  behavior  of  hi  depends  on  Z^,  which  has  been  shown  to  be  independent  of  b. 

*  Case  i :  Z^  =  0.  A  message  is  only  sent  by  hi  if  does  not  fail,  which  itself  only 
happens  when  C"  and  appear  exactly  once  each  among  the  received  ciphertexts. 
In  this  case,  hi  replaces  these  by  {C'^}oN-.Oh^+i  and  {C'p}oM-Oh^+i^  where  the 
keys  used  are  those  received  by  the  a  and  /3,  respectively.  If  the  encryption  keys 
received  by  a  and  /?  do  not  match,  then  a  and  /3  will  send  different  broadcast 
hashes  to  hi  in  Phase  4,  and  C"^  will  fail  by  Phase  6.  Assuming  C"^  does  not  fail, 
the  replacements  makes  for  C'^  and  are  mb  and  mg,  respectively,  multiply 
encrypted  in  the  same  way.  simply  decrypts  the  rest  of  the  received  ciphertexts 
using  its  outer  private  key. 

The  received  ciphertexts  are  received  from  A,  which  has  not  received  any  messages 
since  the  last  phase.  Therefore  the  above  shows  that  these  ciphertexts  are  indepen¬ 
dent  of  b.  The  permutation  vr/ij  used  in  the  vector  Chi  uniformly  random.  Thus, 
regardless  of  b,  Chi  contains  in  a  random  order  mo  and  mi  encrypted  in  the  same 
way  as  well  as  the  decryptions  of  the  rest  of  the  received  ciphertexts.  Therefore, 
assuming  has  not  and  will  not  fail,  the  message  fXhiS  sent  by  hi  is  independent 
of  b. 

*  Case  2:  Z^  =  1.  The  message  fihiS  sent  by  hi  depends  on  messages 

from  the  previous  phases,  and  messages  from  the  adversary  in  this  phase.  These 
are  all  shown  above  to  be  independent  of  b. 

-  The  message  from  member  i  >  hi  depends  on  the  messages  from  previous  phases 
and  messages  in  this  phase  from  members  j  <  i.  We  have  shown  above  that  messages 
from  previous  phases  are  independent  of  b.  We  inductively  assume  that  messages  in 
this  phase  from  j  <  i  are  independent  of  b.  For  i  £  D,  the  only  additional  inputs  A 
has  received  since  the  last  phase  are  yUjs,  j  <  i,  and  therefore  its  outputs  continue  to 
be  independent  of  b.  For  i  £  H,  contains  the  permutation  and  decryption  of  the 
ciphertexts  received  by  i  in  /i(j_i)3.  The  permutation  tt*  and  decryption  key  used 
are  shown  above  to  be  independent  of  b.  Therefore  ms  is  independent  of  b. 

-  GOh,  h  £  H,  may  be  set  to  FALSE  depending  on  the  ciphertexts  in  ^Xhz-  This  message  is 
shown  above  to  be  independent  of  b,  and  so  GOh  remains  independent  of  b. 

-  The  messages  ^hs,  h  £  H  received  by  h'  £  H  are  shown  above  to  be  independent  of  b. 

•  Phase  4: 


45 


-  C'^  fails  if  =  0  and  either  a  or  /3  reeeived  a  veetor  Cn  that  didn’t  eontain  both  inner 
eiphertexts  and  C'^  at  least  onee.  If  eneryption  keys  reeeived  by  a  and  /3  mateh, 
then  the  set  {C^,  eontains  mo  and  mi  enerypted  in  the  same  way,  and  thus  it  does 
not  depend  on  b.  Cn  and  are  shown  above  to  be  independent  of  b.  Therefore,  if  the 
eneryption  keys  of  a  and  /3  mateh,  whether  or  not  fails  is  independent  of  b.  If  those 
eneryption  keys  don’t  mateh,  then  C"^  will  fail  in  Phase  6.  The  keys  are  reeeived  in  an 
earlier  phase,  and  so  it  follows  from  above  that  whether  or  not  they  mateh  is  independent 
of  b. 

-  GOfi,  h  G  H\{a,l3},  is  updated  depending  on  the  inner  eiphertext  C*^,  ij,n3,  the  fail 
flag  fh,  and  GOh  itself,  all  of  whieh  are  shown  above  to  be  independent  of  b.  Thus  GOh 
remains  independent  of  b. 

-  The  update  to  GO^,  h  G  {a,  /?},  depends  on  whieh  is  shown  above  to  be  independent 
of  b,  as  follows: 

*  Case  i:  =  0.  In  this  ease,  if  the  eiphertext  veetor  sent  to  both  a  and  /3  does 

not  eontain  both  the  inner  eiphertexts  of  a  and  /3,  then  C"^  will  fail.  Assuming  that 

does  not  fail,  both  GOq,  and  GO/?  get  set  to  FALSE  if  the  fail  flag  is  fh  =  TRUE, 
and  otherwise  keep  any  existing  FALSE  value  or  get  a  new  value  of  TRUE.  They 
thus  remain  independent  of  b. 

*  Case  2:  Z^  =  1.  For  h  G  {a,  /?},  GOh  is  updated  depending  on  fh,  the  message 
/UAr3  reeeived  by  h,  on  and  on  GOh  itself.  In  this  ease,  the  inner  eiphertext  is 
shown  above  to  be  independent  of  b.  Likewise,  fh,  fJ-NS  and  GOh  are  shown  above 
to  be  independent  of  b. 

-  The  message  fih4  =  {gO/j,  HASH{i?},  n??,  4,  /ijsiG^^,  h  G  H,  does  not  depend  on  b 
by  the  above. 

-  The  additional  inputs  to  A  sinee  his  last  output  are  messages  Hhi,  h  £  H,  shown  above 
to  be  independent  of  b.  Thus  the  messages  /Uj4,  i  £  D,  reeeived  by  /i  G  Tf  are  indepen¬ 
dent  of  b. 

-  The  messages  i^hi,  h  £  H,  reeeived  by  h'  £  H  are  shown  above  to  be  independent  of  b. 

•  Phase  5: 

-  Whether  fails  in  this  phase  depends  on  Z^  and  on  the  messages  sent  and  reeeived 
by  hi .  These  are  shown  above  to  be  independent  of  b,  and  thus  failure  in  this  phase  is 
independent  of  b  also. 

-  The  message  ^h5  sent  by  h  £  H  and  several  internal  variables  are  set  differently  de¬ 
pending  on  the  messages  sent  and  reeeived  by  h,  whieh  are  shown  above  to  be 
independent  of  b,  as  follows: 

*  Case  1:  h  reeeives  all  GO*  =  TRUE  and  HASH{.Bj}  =  HASh{.B/i}. 

•  The  message  ^h5  =  '^r,  5,  h}siGu,^  does  not  depend  on  b  by  the  above. 

•  SUCCESS/i  depends  on  the  messages  sent  and  reeeived  up  to  and  ineluding 
this  phase.  These  messages  are  shown  above  to  be  independent  of  b,  and  thus 
SUCCESS/i  is  also. 


46 


•  depends  on  SUCCESS/j  and  on  the  messages  sent  and  received  up  to  and 
including  this  phase.  All  of  these  are  shown  above  to  be  independent  of  b,  and 
thus  is  also. 

*  Case  2:  h  receives  some  GOj  =  FALSE  or  HASH{.Bj}  /  HASh{.B/j}. 

•  The  message  =  {0,  5,  hr,  5,  /ijsiGu^  does  not  depend  on  b  by  the  above. 

•  SUCCESS/!  is  set  to  FALSE,  and  thus  is  independent  of  b. 

-  The  additional  inputs  to  A  since  his  last  output  are  messages  ^^5,  h  £  H,  shown  above 
to  be  independent  of  b.  Thus  the  messages  ^*5,  i  £  D,  received  by  h  £  H  are  indepen¬ 
dent  of  b. 

-  The  messages  Hhb,  h  £  H,  received  by  h'  £  H  are  shown  above  to  be  independent  of  b. 

•  Phase  6: 

-  Whether  C'^  fails  in  this  phase  assuming  the  encryption  keys  of  a  and  (3  match  (a  case 
already  covered  above)  depends  on  and  on  the  messages  sent  and  received  by  hi. 
These  are  shown  above  to  be  independent  of  b,  and  thus  failure  in  this  phase  under  the 
matching-keys  assumption  is  independent  of  b  also. 

-  The  message  Hhe  sent  by  h  £  H  is  created  differently  depending  on  SUCCESS/!  and  the 
messages  sent  and  received  before  this  phase.  These  are  shown  above  to  be  independent 
of  b,  and  so  the  relevant  case  is  independent  of  b  as  well. 

*  Case  1:  SUCCESS/!  =  TRUE.  The  message  =  {T,nR,  6,h}siGu^  sent  by  h 
depends  only  on  messages  sent  and  received  in  previous  phases.  They  are  shown 
above  to  be  independent  of  b,  and  thus  is  as  well. 

*  Case  2:  SUCCESS/!  =  FALSE,  and  for  all  i  GO*  =  TRUE  and  HASh{.B!}  = 
HASh{.B/!}.  The  message  HhQ  =  {T,nR,  6,  h}siGu^  sent  by  h  depends  only  on 
messages  sent  and  received  in  previous  phases.  They  are  shown  above  to  be  inde¬ 
pendent  of  b,  and  thus  is  as  well. 

*  Case  3:  SUCCESS/!  =  FALSE,  and  for  some  i  GO*  =  FALSE  or  HASH{.Bj}  / 

HASh{.B/!}.  The  message  HhG  =  T,  ^r,  6,  /i}siG„^  sent  by  h  depends 

on  messages  sent  and  received  in  previous  phases  as  well  as  some  internal  variables, 
all  of  which  are  shown  above  to  be  independent  of  b. 

-  The  additional  inputs  to  A  since  his  last  output  are  messages  h  £  H,  shown  above 
to  be  independent  of  b.  Thus  the  messages  jiiG,  i  £  D,  received  by  h  £  H  are  indepen¬ 
dent  of  b. 

-  The  messages  fihe,  h  £  H,  received  by  h'  £  H  are  shown  above  to  be  independent  of  b. 

-  The  outputs  and  some  internal  variables  are  set  differently  depending  on  SUCCESS/j 
and  the  messages  sent  and  received  before  this  phase.  These  are  shown  above  to  be 
independent  of  b,  and  so  the  relevant  case  is  independent  of  b  as  well. 

*  Case  1:  SUCCESS/j  =  TRUE.  The  output  Oh  =  (SUCCESS,  M^)  is  shown  above  to 
be  independent  of  b. 

*  Case  2:  SUCCESS/!  =  FALSE,  and  for  all  i  GO*  =  TRUE  and  HASHlSj}  = 
HASii{Bh}. 


47 


•  BLAME/j  is  set  based  only  on  messages  sent  and  reeeived  up  to  this  point  and 
thus  by  the  above  is  independent  of  b. 

•  Log  ifi  ineludes  the  output  of  SETUP-S  and  all  messages  sent  and  reeeived  by 
h  and  thus  is  independent  of  b  by  the  above. 

•  The  output  Oh  =  (failure,  BLAME/i,  is  shown  above  to  be  independent 
of  b. 

*  Case  3:  SUCCESS/i  =  FALSE,  and  for  some  i  GO*  =  FALSE  or  HASH{.Bj}  / 
hash{.B,,}. 

•  BLAME/j  is  set  based  only  on  messages  sent  and  reeeived  up  to  this  point  and 
thus  by  the  above  is  independent  of  b. 

•  Log  ih  ineludes  the  output  of  SETUP-S  and  all  messages  sent  and  reeeived  by 
h  and  thus  is  independent  of  b  by  the  above. 

•  The  output  Oh  =  (failure,  BLAME/i,  is  shown  above  to  be  independent 
of  b. 

Finally,  we  are  able  to  prove  that  the  messages,  outputs,  and  failures  of  C"^  are  independent  of  b. 
The  above  analysis  shows  that  the  probability  of  failure  does  not  depend  on  b.  This  implies  that  the 
probability  that  the  messages  M  and  outputs  O  of  honest  members  take  their  eonstant  failure  values 
independently  of  b  as  well.  When  does  not  fail,  the  above  analysis  shows  that  all  messages  and 
outputs  from  honest  members  are  determined  independently  of  b.  Thus 

Pr[M  =  m  AO  =  o  A  =  f\I  =  i  Ab  =  0]  =  Pr[M  =  m  AO  =  o  A  =  f\I  =  i  Ab  =  1]. 

□ 

We  use  this  independenee  from  b  of  the  ehallenge  shuffle’s  messages,  outputs,  and  failure  to 
prove  that  the  adversary  has  no  advantage  in  Game  2. 

Lemma  13.  A(G^)  =  0. 

Proof.  To  prove  this,  we  show  that  the  steps  of  the  anonymity  game  surrounding  the  ehallenge 
shuffle  are  independent  of  b  and  use  the  previous  lemma  for  the  ehallenge  shuffle  itself. 

1.  In  Step  1,  the  protoeol  exeeutions  are  independent  of  b. 

2.  In  Step  2,  the  all  messages  to  the  adversary  have  been  independent  of  b,  and  so  the  users  and 
messages  A  sends  to  for  the  ehallenge  run  are  independent  of  b. 

3.  In  Step  3,  the  ehallenger  should  assign  the  ehallenge  messages  to  the  eorreet  ehallenge  users, 
depending  on  b.  However,  we  have  modified  the  ehallenger  to  ereate  Game  2  sueh  that  this  is 
not  neeessary,  and  so  we  ean  omit  this  step. 

4.  During  the  challenge  run  in  Step  4,  first  executes  SETUP-S  using  as  input  the  honest 

members’  long-term  signing  keys,  which  are  independent  of  b,  as  are  the  previous  messages 
to  A,  and  so  the  output  (n/j,  K,  L)  of  SETUP-S  is  independent  of  b.  then  calls  C"^  with 
inputs  I  =  (a, /3,  mg,  mf ,  riR,  F,  r)  and  b.  I  is  determined  by  previous 

messages  from  A  and  the  outputs  of  SETUP-S.  These  have  been  shown  to  be  independent  of 
b,  and  thus  I  is  as  well.  We  can  then  apply  Lemma  12  to  conclude  that  the  joint  distribution 
of  shuffle  failure  and  messages  to  A  are  independent  of  b. 


48 


5.  If  C"^  didn’t  fail,  which  as  shown  occurs  independently  of  b,  then  executes  Step  5  of  the 
anonymity  game  by  executing  additional  protocol  executions.  These  depend  on  messages 
from  A,  and  all  messages  to  A  have  been  shown  independent  of  b.  Thus  these  executions  are 
independent  of  b. 

6.  The  adversary’s  guess  b  in  Step  6  depends  on  the  messages  to  A  and  the  possible  failure  of 
C^.  These  have  been  shown  to  be  independent  of  b,  and  so  b  is  independent  of  b. 

G‘^{b)  depends  on  and  b.  These  have  been  shown  to  be  independent  of  b,  and  thus 

Pr[G^{l)  =  1]  =  Pr[G^{0)  =  1]. 


□ 

Theorem  5.  The  GMP-SHUFFLE  protocol  maintains  anonymity  with  k  colluding  members  for  any 
0  <  /c  <  iV  -  2. 

Proof.  Let  A  be  a  probabilistic  polynomial-time  adversary.  Let  the  change  in  advantage  between 
Games  i  and  j  be  eij  =  |A(G-^)  —  A(G*)|.  By  Lemma  9,  the  advantage  of  A  in  the  anonymity 
game  with  GMP-SHUFFLE  is  2A(G^)  <  2(eoi  +  €12  +  Lot  is  negligible  by  Lemma  10,  ei2 

is  negligible  by  Lemma  11,  and  A(G^)=0  by  Lemma  13.  Thus  the  advantage  of  A  in  the  anonymity 
game  with  GMP-SHUFFLE  is  negligible.  □ 

5.5.2  The  GMP-Bulk  Protocol 

We  show  that  the  adversary’s  advantage  in  winning  the  anonymity  game  with  GMP-BULK  is  negli¬ 
gible. 

As  in  the  shuffle  anonymity  proof  (Section  5.5.1),  we  take  an  adversary  A  playing  against  the 
anonymity-game  challenger  G  and  construct  a  sequence  of  games  by  successively  modifying  the 
challenger.  We  will  show  how  any  non-negligible  difference  in  the  game’s  advantage  between  neigh¬ 
boring  games  will  contradict  assumed  security  properties  of  the  cryptographic  primitives.  The  final 
game  will  be  information-theoretically  secure,  that  is,  the  output  advantage  will  be  zero.  We  incor¬ 
porate  the  anonymity  proof  for  the  shuffle  by  using  that  sequence  of  games  (extended  to  GMP-BULK) 
as  game  subsequences  modifying  the  challenger  during  the  bulk  protocol’s  shuffle  phases. 

We  define  Game  0,  Game  1,  and  Game  2  by  changing  the  behavior  of  G  during  the  message- 
descriptor  shuffle  in  Phase  3.  The  changes  are  essentially  the  same  as  those  made  in  Game  0,  Game 
1,  and  Game  2,  respectively,  in  the  shuffle  anonymity  proof  (Section  5.5.1).  We  then  similarly  define 
Game  3,  Game  4,  and  Game  5  by  applying  the  same  sequence  of  changes  to  the  blame  shuffle  in 
Phase  7.  We  replace  the  encrypted  seeds  sent  in  the  message  descriptors  of  a  and  /3  with  unrelated 
ciphertexts  to  define  Game  6.  Finally,  in  Game  7,  we  replace  the  pseudorandom  bit  streams  sent 
during  data  transmission  with  random  streams. 

As  before,  let  hi,  /12,  •  •  • ,  /^TV-fe  be  the  honest  users  in  the  order  they  appear  in  the  shuffle.  Let 
C*  be  the  challenger  defined  in  Game  i.  Let  Z\  and  indicate  that  challenger  C*  guesses  that  hi 
should  release  her  outer  private  key  at  some  point  as  part  of  the  message  descriptor  shuffle  (Phase 
3)  and  the  blame  shuffle  (Phase  7),  respectively.  Let  F*  indicate  whether  or  not  the  challenger  failed 
in  Game  i.  Let  G*  indicate  a  “game  output”  for  Game  i.  The  challenge  bit  b  is  again  an  implicit 
input  to  the  games’  challengers  and  associated  random  variables. 


49 


Game  0:  We  create  a  challenger  that  sets  G  {0;  1}  uniformly  at  random  as  a  guess 
about  if  hi  should  reveal  an  outer  private  key  during  the  message-descriptor  shuffle  of  the  challenge 
run  in  the  bulk  anonymity  game.  That  is,  behaves  the  same  as  the  anonymity-game  challenger 
except  that  he  fails  if  his  guess  proves  to  be  wrong  at  certain  points  during  Phase  3  of  the  challenge 
protocol  run.  These  failure  points  are  exactly  the  same  (using  Zf  in  place  of  Z^)  as  those  defining 

for  Game  0  of  the  shuffle  anonymity  analysis  (Section  5.5.1),  and  so  we  do  not  repeat  them  here. 
Again,  when  failure  occurs,  =  1,  terminates,  and  the  game  output  is  set  to  a  uniformly 
random  bit.  In  every  other  case,  =  0,  behaves  exactly  as  C  would. 

Game  1:  We  again  reuse  the  changes  described  in  the  shuffle  anonymity  analysis.  We  create 
challenger  by  applying  the  changes  that  define  for  Game  1  of  the  shuffle  analysis  to  the 
challenger  defined  above.  These  changes  are  made  to  the  Phase  3  shuffle  of  the  challenge  run 
in  the  bulk  anonymity  game.  Everywhere  Z^  appears  in  these  changes,  we  instead  use  Zl,  and 
everywhere  ml  appears,  we  instead  use  the  shuffle  input  of  a  (which  is  a  message  descriptor). 
These  changes  effectively  replace  a  ciphertext  containing  the  message  descriptor  of  a  with  one  that 
contains  a  dummy  message  until  it  has  been  shuffled  by  the  first  honest  member. 

Game  2:  As  in  the  shuffle  anonymity  analysis,  this  game  is  created  from  Game  1  above  in  the 
same  way  that  Game  1  itself  was  created  from  Game  0,  except  replacing  Z^  with  Zf,  a  with  (3,  and 
the  shuffle  input  of  a  with  the  shuffle  input  of  (3.  This  effectively  replaces  a  ciphertext  containing 
the  message  descriptor  of  j3  with  one  that  contains  a  dummy  message  until  it  has  been  shuffled  by 
the  first  honest  member. 

Games  3-5:  These  games  further  modify  the  challenger  by  adapting  and  applying  the  sequence 
of  changes  given  in  the  shuffle  anonymity  analysis  as  was  done  to  define  Games  0-2  above.  This 
time,  however,  we  apply  the  changes  to  the  blame  shuffle  (Phase  7)  of  the  challenge  protocol  run. 
In  addition,  the  guess  bit  is  denoted  Z^,  and  the  shuffle  inputs  to  a  and  /3  are  accusations  rather  than 
message  descriptors. 

Game  6:  We  define  challenger  from  by  changing  the  inputs  to  the  message-descriptor 
shuffle  of  the  challenge  run.  During  the  generation  of  message  descriptors  (Phase  2),  we  replace  the 
encrypted  seeds  Sa/s  and  5^^  with  the  encryption  of  new  random  seeds.  Specifically, 

1 .  For  a,  we  replace  the  encrypted  seed  it  creates  for  j3  in  Case  1  of  Phase  2  with  an  encryption 
of  the  new  random  seed  That  is,  we  set  Sap  =  {s'ap\yp^  where  the  encryption  key  is 
among  those  a  received  in  Phase  la.  Note  that  the  original  seed  Sap  is  still  created  and  used 
to  generate  the  ciphertext  Cap- 

2.  For  j3,  we  replace  the  encrypted  seed  it  creates  for  a  in  Case  1  of  Phase  2  with  an  encryption 
of  the  new  random  seed  s'^^.  That  is,  we  set  Spa  =  {s'pa\ya^  where  the  encryption  key  is 
among  those  (3  received  in  Phase  la.  Again,  note  that  the  original  seed  spa  is  still  created  and 
otherwise  used  as  before. 

Then  during  data  transmission  (Phase  4),  recognizes  the  seeds  that  match  and  among 
those  received  by  /?  and  a,  respectively,  and  simply  uses  the  original  seeds  to  generate  the  necessary 
ciphertexts.  More  precisely,  for  a,  in  Case  2  of  Phase  4,  whenever  a  value  Sia  received  by  a 
decrypts  to  a  seed  that  the  challenger  recognizes  is  identical  to  a  sets  Cia  to  the  ciphertext  Cpa 
that  was  generated  earlier  from  spa-  ^  similar  action  is  taken  for  f3,  where  this  time  the  challenger 
looks  for  decrypted  seeds  matching  and  uses  Cap  for  the  ciphertext. 

Game  7 :  We  construct  challenger  from  C®  by  replacing  some  pseudorandomness  with  true 


50 


randomness  during  the  challenge  protocol  run.  For  a  and  (3,  in  Case  1  of  Phase  2  (descriptor  gener¬ 
ation),  the  ciphertexts  Ca0  and  CjSa,  respectively,  are  chosen  uniformly  at  random  rather  than  being 
generated  pseudorandomly.  Note  that  these  random  ciphertexts  are  then  used  in  the  computation 
of  Caa  and  Cpp,  respectively.  Then  in  Case  2  of  Phase  4  (data  transmission),  a  and  /3  use  these 
random  sequences  as  ciphertexts.  That  is,  a  sends  the  random  Cpa  generated  in  Phase  2  for  every 
decrypted  seed  Sia  that  matches  s'^^.  Similarly,  /3  sends  the  random  generated  in  Phase  2  for 
every  decrypted  seed  Sip  that  matches 

The  following  lemma  shows  that,  as  in  the  shuffle  proof,  the  output’s  advantage  in  Game  0  is 
1  /2  the  advantage  of  A  in  the  anonymity  game: 


Lemma  14. 


A(G°)  = 


Pr 


AC(o)  =  1 


—  Pr 


=  1 


where  the  probability  is  taken  over  the  randomness  of  both  the  adversary  and  the  challenger. 


Proof.  The  proof  of  this  lemma  is  almost  exactly  the  same  as  the  proof  of  Lemma  9.  We  simply 
interpret  each  reference  to  a  phase  of  the  challenge  shuffle  as  instead  referring  to  a  phase  of  the 
message-descriptor  shuffle  in  the  bulk  protocol.  We  also  replace  everywhere  it  appears  with 
Z?.  □ 

The  next  lemma  shows  that,  as  in  the  shuffle  proof,  the  ciphertext  changes  from  Game  0  to 
Game  2  can  only  change  the  advantage  of  the  game  output  by  a  negligible  amount. 

Lemma  15,  |  A(G^)  —  A(G°)|  is  negligible. 

Proof.  Games  1  and  2  are  constructed  by  making  essentially  the  same  changes  to  the  challenger’s 
behavior  during  the  descriptor  shuffle  that  were  made  in  Games  1  and  2  of  the  shuffle  anonymity 
analysis.  Thus,  the  proof  that  these  two  sets  of  changes  each  only  change  the  output  advantage  by  a 
negligible  amount  is  almost  exactly  the  same  as  the  proofs  of  Lemmas  10  and  11. 

In  these  proofs,  a  distinguisher  D  is  constructed  that  simulates  either  member  of  a  pair  of  adja¬ 
cent  games  for  the  adversary,  depending  on  the  hidden  bit  of  the  distinguishing  game.  The  proofs 
show  that  this  distinguisher  converts  a  non-negligible  change  in  the  game  output’s  advantage  to 
a  non-negligible  advantage  in  the  distinguishing  game.  Such  an  advantage  would  contradict  the 
IND-CCA2  property  of  the  cryptosystem. 

We  slightly  modify  the  argument  of  that  sort  in  the  proof  of  Lemma  10  to  prove  that  the  output 
advantage  changes  negligibly  between  Game  0  and  Game  1 .  We  construct  a  distinguisher  that 
is  the  same  as  D  in  that  proof  with  the  following  differences: 

1.  In  Step  1  of  D,  instead  executes  the  anonymity  game  up  to  the  challenge  run  of  the  bulk 
protocol  (rather  than  the  shuffle  protocol). 

2.  then  executes  Phase  1  and  Phase  2  of  bulk  protocol  exactly,  ending  up  with  the  inputs  of 
honest  members  to  shuffle  protocol  m/j,  that  are  constructed  during  Phase  2. 

3.  continues  with  Step  2  of  D. 

4.  continues  with  Steps  3-8  of  D,  replacing  rrih  with  ma  everywhere. 


51 


5.  After  Step  8  of  the  distinguisher  is  finished,  the  message-deseriptor  shuffle  (i.e.  Phase  3)  of 
the  bulk  protoeol  is  over,  and  the  uses  the  outputs  of  the  honest  members  to  exeeute  the 
rest  of  the  bulk  protoeol  (Phase  4  -  Phase  7)  as  deseribed  in  the  protoeol. 

By  applying  the  subsequent  arguments  of  Lemma  10  to  (again  substituting  ma  for  nib  in  the 
arguments),  we  ean  show  that  the  game  output’s  advantage  ehanges  negligibly  between  Game  0  and 
Game  1. 

We  ean  adapt  the  distinguisher  eonstruetion  and  subsequent  arguments  of  Lemma  1 1  in  the  same 
way  (exeept  using  j3  in  plaee  of  a  and  b  in  plaee  of  b)  to  show  that  the  game  output’s  advantage 
ehanges  negligibly  between  Game  1  and  Game  2.  □ 

Game  3  is  ereated  by  applying  the  first  game  transformation  of  the  shuffle  proof  to  the  blame 
shuffle  in  Game  2,  that  is,  by  having  the  ehallenger  guess  about  the  revelation  of  outer  private  keys. 
Thus,  as  in  the  shuffle  proof,  the  game  advantage  deereases  by  a  faetor  of  1/2: 

Lemma  16.  A(G^)  =  ^A{G‘^),  where  the  probability  is  taken  over  the  randomness  of  both  the 
adversary  and  the  challenger. 

Proof.  As  with  Lemma  14,  the  proof  of  this  lemma  is  almost  exaetly  the  same  as  the  proof  of 
Lemma  9.  We  apply  that  proof  to  this  lemma  by  interpreting  eaeh  referenee  to  a  phase  of  the 
ehallenge  shuffle  as  instead  referring  to  a  phase  of  the  blame  shuffle  in  the  ehallenge  bulk  round. 
As  we  are  eomparing  Games  2  and  3  rather  than  the  anonymity  game  and  Game  0,  everywhere  they 
appear  we  replaee  C  with  with  G‘^{b),  G^  with  G^,  and  with  Zf.  In  addition,  the 

transeripts  between  A  and  G^  (i.e.  ^2)  and  between  A  and  G^  (i.e.  qs)  may  fall  into  one 

more  ease  than  the  four  given  in  that  proof.  The  ehallenger  may  fail  with  an  ineorreet  guess  Zi 
during  the  deseriptor  shuffle.  The  proof  of  Lemma  14  shows  that  this  failure  oeeurs  with  probability 
1/2  in  Game  0,  and  in  Game  2  this  failure  eontinues  to  oeeur  with  probability  1/2  and  for  the  same 
reasons,  namely  that  eaeh  transeript  falls  into  exaetly  one  of  the  four  listed  eases,  and  failure  oeeurs 
in  eaeh  ease  when  the  independently  random  bit  Zf  has  a  eertain  value.  The  proof  of  Lemma  9  ean 
easily  be  modified  to  inelude  this  failure  ease,  with  the  following  modified  eonelusions: 

1.  Eaeh  transeript  ease  oeeurs  with  the  same  probability  for  <72  and 

2.  Failure  oeeurs  in  every  ease  exeept  for  the  added  one  (whieh  always  fails)  with  probability 
1/2. 

3.  The  distribution  of  transeripts  in  q3  eonditional  on  =  0  is,  in  every  ease  exeept  the 
added  one,  the  same  as  the  distribution  of  transeripts  in  the  same  ease  in  q2  . 

These  imply  that  =  0  with  probability  1/4  and  that  the  eonditional  distribution  of  q3  given 
=  0  is  the  same  as  the  distribution  of  Tyj  q2  given  that  F^  =  0.  The  game  outputs  G^  and  G^ 
are  the  adversary  output  when  the  ehallenger  does  not  fail  and  are  uniformly  random  bits  otherwise. 
Thus 

|Fr  [G3(0)  =  1]  -  Fr  [0^(1)  =  l]  |  =  ^  |Fr[G3(0)  =  1\F^  =  0]  -  Pr[G^{l)  =  IjF^  =  0]| 

=  ^ \Pr[G^{0)  =  1|F2  =  0]  -  Pr[G'^{l)  =  IjF^  =  0]| 

=  l\Pr[G\0)  =  l]-Pr[G\l)  =  l]\ 


52 


□ 

Changing  ciphertexts  from  the  challenger  from  Game  3  to  Game  5  has  only  a  negligible  effect 
on  the  output  advantage,  as  in  the  analogous  game  transitions  of  the  shuffle  proof: 

Lemma  17.  |  A(G^)  —  A(G^)|  is  negligible. 

Proof.  This  lemma  can  be  proven  using  the  arguments  of  Lemma  15  applied  to  the  blame  shuffle 
rather  than  the  descriptor  shuffle.  Those  construct  distinguishers  and  show  that  they  convert  a  non- 
negligible  change  in  the  game  output  between  Games  3  and  4  or  between  Games  4  and  5  into  a 
non-negligible  advantage  in  the  IND-CCA2  game.  This  would  contradict  the  IND-CCA2  property 
of  the  cryptosystem.  □ 

Game  6  is  created  from  Game  5  by  changing  some  PRNG  seeds  that  are  then  encrypted  and 
sent  by  the  challenger.  By  the  IND-CCA2  property  of  the  encryption  scheme,  this  can  only  have  a 
negligible  effect  on  the  output  advantage: 

Lemma  18.  |  A(G®)  —  A(G^)|  is  negligible. 

Proof.  To  prove  this  lemma,  we  consider  the  two  ciphertext  changes  in  sequence:  i)  {sap}yp  gets 
replaced  by  and  ii)  {sj3o}ya  replaced  by  {s'j^^y^.  For  each  change,  we  can  construct 

a  distinguisher  that  converts  a  non-negligible  change  in  the  game-output  distribution  into  a  non- 
negligible  advantage  in  the  distinguishing  game. 

Let  Game  5a  refer  to  the  game  that  results  from  just  the  ciphertext  replacement  in  (/).  Let  be 
the  challenger  in  the  distinguishing  game  and  be  the  challenge  bit.  We  construct  a  distinguisher 
D  that  simulates  either  Game  5  or  Game  5a,  depending  on  bo,  as  follows: 

1 .  D  simulates  the  anonymity-game  challenger  up  to  the  challenge  run  of  the  bulk  protocol. 

2.  To  begin  Phase  1  of  the  bulk  protocol  (key  generation),  D  obtains  the  public  encryption  key 
Kd  from  Cd  and  sets  yp  =  Kr).  D  generates  the  encryption  key  pairs  {xh,  Vh)  for  all  other 
honest  users.  Then  D  continues  with  the  rest  of  Phase  la  (session-key  generation)  followed 
by  Phase  lb  (key  verification),  acting  as  would. 

3.  D  executes  Phase  2  (descriptor  generation)  for  a  as  follows: 

Case  P.  If  key  verification  is  successful  (Case  1  of  Phase  2),  D  executes  the  phase  for  a  as 
would  up  to  the  point  at  which  is  assigned.  At  this  point,  D  randomly  chooses  a 
new  seed  s'^^,  submits  {sap,  to  Cd,  receives  c;,^  as  a  response,  and  sets  Sajs  =  Chj^.  D 
executes  the  rest  of  the  phase  for  a  as  would. 

Case  2:  If  key  verification  fails  (Case  2  of  Phase  2),  D  executes  the  phase  for  a  as  would. 
Case  3:  This  case  will  never  execute  for  a  because  a  has  message  nih  to  send. 

D  executes  Phase  2  for  the  other  honest  members  as  would. 

4.  D  executes  Phase  3  as  would. 


53 


5.  D  executes  Phase  4  (data  transmission)  for  /3  as  follows: 

Case  1 :  If  the  descriptor  shuffle  failed  (Case  1  of  Phase  4),  D  executes  the  phase  for  /?  as 
would. 

Case  2:  Otherwise  the  descriptors  were  successfully  received  (Case  2  of  Phase  2).  For  each 
encrypted  seed  5^^  received  by  /?  in  a  descriptor,  if  Sijj  matches  the  encrypted  seed 
created  by  a  for  (3,  then  D  sets  to  the  seed  Sap  chosen  by  a  in  Phase  2,  rather  than 
obtaining  it  by  decrypting  Sj/j.  Otherwise,  D  sends  Si^  io  Cd  for  decryption,  receiving  s  in 
response.  If  s  =  then  set  Sip  =  Sap,  and  otherwise  set  sip  =  s.  D  completes  the  phase 
as  would. 

D  executes  this  phase  for  the  other  honest  members  as  would. 

6.  D  executes  Phase  5  (acknowledgement  submission)  and  Phase  6  (message  recovery)  as 
would. 

7.  D  executes  Phase  7  (blame)  as  would.  It  will  never  be  required  for  D  to  produce  the 
random  bits  used  to  produce  Sap,  which  it  would  be  unable  to  do,  because  /3  only  sends 
ciphertexts  with  correct  hashes  for  slots  with  the  descriptors  of  honest  members. 

8.  D  executes  the  rest  of  the  anonymity  game  after  the  challenge  run  as  would. 

9.  D  uses  G  as  its  guess  ho- 

We  observe  that,  except  with  negligible  probability,  D  simulates  C®  if  =  0  (i.e.  if  Cf,^  = 
{sap}yp),  and  D  simulates  (7^“  if  bo  =  1-  Note  that,  depending  on  bo,  D  creates  a  message 
descriptor  for  a  that  contains  as  a  seed  for  /?  either  the  encryption  of  Sap  or  of  s'^^.  Moreover,  if 
bn  =  ^,  D  correctly  uses  Sap  for  all  encrypted  seeds  received  by  fi  that  match  and,  if  =  0, 
the  probability  that  fi  receives  an  encryption  of  and  (incorrectly)  uses  Sap  as  the  decryption  is 
negligible  because  is  never  used  in  the  simulation  up  to  that  point  and  is  chosen  independently 
at  random.  In  addition,  the  ciphertexts  sent  to  the  decryption  oracle  never  match  the  forbidden  text 
Cbo  =  Sap  because  in  those  cases  the  decryptions  are  copied  directly  from  the  seed  created  by  a 
for  (3.  In  every  other  way,  and  (7^“  act  the  same,  and  D  simulates  their  behavior. 

The  output  of  D  is  the  game  output  G{b),  where  b  is  the  challenge  bit  of  the  simulated  anonymity 
game.  (7(6)  is  set  exactly  as  it  is  by  the  simulated  challenger  except  with  negligible  probability,  and 
thus  the  advantage  of  D  is  negligibly  close  to  the  change  in  (7(6)  for  any  6.  That  is. 


Pr^D  =  1|6d  =  0]  -  Pr^D 


l\hD  =  1]  -  \Pr[G^{b)  =  1]  -  Pr[(7®“(6)  = 


is  negligible.  Because  the  advantage  in  the  distinguishing  game  is  negligible  by  the  IND-CCA2 
property  of  the  cryptosystem,  the  change  in  the  output  distribution  between  Game  5  and  Game  5a 
for  a  given  value  of  6  must  be  negligible.  This  implies  that  the  change  in  the  output  advantage  is 
also  negligible. 

Applying  ciphertext  replacement  (//)  to  Game  5a  results  in  Game  6.  Essentially  the  same  ar¬ 
gument  as  above  (simply  swapping  a  and  [3  everywhere)  shows  that  the  output  advantage  changes 
negligibly  as  a  result  of  this  replacement. 

Thus  the  output  advantage  changes  negligibly  between  Game  5  and  Game  6.  □ 


54 


We  create  Game  7  from  Game  6  by  replacing  some  pseudorandom  streams  with  random  streams. 
By  the  pseudorandomness  of  the  PRNG,  doing  so  has  a  negligible  effect  on  the  output  advantage: 

Lemma  19.  |  A(G’^)  —  A(G®)|  is  negligible. 

Proof.  Consider  the  changes  made  to  C®  in  the  following  sequence:  i)  /3  chooses  the  ciphertext 
Cpct  in  Phase  2  randomly  instead  of  pseudorandomly,  and  a  uses  that  ciphertext  in  Phase  4;  and 
ii)  a  chooses  the  ciphertext  Cap  in  Phase  2  randomly  instead  of  pseudorandomly,  and  j5  uses  that 
ciphertext  in  Phase  4.  Let  Game  6a  be  the  game  defined  by  applying  (/)  to  Game  6.  Game  7  is  then 
{ii)  applied  to  Game  6a.  We  can  show  that  the  game  output  changes  negligibly  for  each  pair  in  this 
short  sequence  by  constructing  a  distinguisher  that  converts  a  change  in  the  game  output  probability 
to  the  same  advantage  in  the  pseudorandomness  game. 

Let  Cr  be  the  challenger  in  the  pseudorandomness  game,  and  let  hR  be  its  challenge  bit.  Dis¬ 
tinguisher  D  interacts  with  Cr  to  simulate  either  Game  6  or  Game  6a  for  the  adversary,  depending 
on  bR.  Let  D  behave  as  follows: 

1 .  D  executes  the  anonymity  game  as  C^  would  up  to  the  challenge  run  of  the  bulk  protocol. 

2.  D  executes  Phase  1  as  C®  would. 

3.  In  Phase  2,  D  receives  r  from  Cr.  For  member  /3,  D  sets  Cpa  =  r  m  Case  1  and  otherwise 
executes  the  phase  for  /?  as  C®  would.  D  executes  Phase  2  for  all  other  honest  members  as 
C®  would. 

4.  D  executes  Phase  3  as  C®  would. 

5.  In  Phase  4,  for  member  a,  D  sets  Cja  =  r  for  all  decrypted  seeds  Sia  that  are  identical  to 
the  seed  generated  by  /3.  D  otherwise  executes  Phase  4  for  /3  as  C®  would.  D  executes 
Phase  4  for  all  other  honest  members  as  C®  would. 

6.  D  executes  Phase  5,  Phase  6,  and  Phase  7  as  C®  would. 

7.  D  executes  the  rest  of  the  anonymity  game  after  the  challenge  run. 

8.  D  uses  the  game  output  of  the  simulated  challenger  as  guess  bR. 

We  observe  that  if  bR  =  0  (i.e.  r  is  pseudorandomly  generated  by  Cr  from  an  unknown  random 
seed  s),  then  D  simulates  Game  6,  and  if  bR  =  1,  then  D  simulates  Game  6a.  In  particular,  D 
can  execute  the  blame  phase  without  knowing  the  seed  that  is  used  to  generate  r,  if  any,  because 
the  encrypted  seed  included  in  the  descriptor  dp  is  already  an  unrelated  seed  Also,  the  chal¬ 
lenger  creates  the  encrypted  seeds  in  both  games,  and  so  any  accusation  can  be  correctly  generated, 
although  because  /3  only  generates  accusations  for  slots  with  its  own  descriptor  dp,  and  a  always 
produces  correct  ciphertexts  when  using  dp,  it  should  in  fact  never  be  the  case  that  /3  generates  an 
accusation  involving  the  ciphertexts  changed  between  Game  6  and  Game  6a. 

The  guess  bit  hR  of  D  is  thus  G®  when  bR  =  0  and  G®“  when  bR  =  1.  Therefore  if  the  differ¬ 
ence  between  Pr[G^(b)  =  1]  and  Pr[G®“(6)  =  1]  were  non-negligible  for  some  b,  then  D  could 
achieve  a  non-negligible  advantage  in  the  pseudorandomness  game.  This  would  contradict  pseudo¬ 
randomness,  and  thus  the  change  in  the  output  advantage  from  Game  6  to  Game  6a  is  negligible. 

A  nearly  identical  argument,  simply  swapping  a  and  j3  everywhere,  shows  that  there  is  a  negli¬ 
gible  change  in  the  game  advantage  from  Game  6a  to  Game  7  as  well.  Thus,  the  change  in  the  game 
advantage  from  Game  6  to  Game  7  is  negligible.  □ 


55 


By  Game  7,  the  adversary  has  the  same  view  whether  mo  belongs  to  a  or  13,  and  thus  there  is 
no  advantage  in  the  game  output.  In  order  to  show  this,  we  follow  the  approaeh  of  Lemmas  12  and 
13,  and  we  view  the  ehallenger  as  ealling  a  subroutine  C"^  to  exeeute  ANONYMIZE-B  during  the 
ehallenge  run.  This  allows  a  natural  deeomposition  of  the  proof,  and  it  also  us  to  express  the  faet 
that  in  addition  to  the  messages  to  the  adversary,  the  outputs  of  the  bulk  protoeol  are  independent 
of  b.  Thus  if,  for  example,  the  members  deeide  later  to  eome  to  a  eonsensus  about  the  results  of 
the  bulk  protoeol,  that  information  won’t  break  anonymity.  C"^  takes  as  input  the  ehallenge  bit 
b  and  I  =  {ur,  t,  a,  (3,  mg,  mf ,  {'mh}h£H\{a,i3})-  either  fails  or  returns  output 

O  =  {Ohi,  ■  ■  ■ ,  Oj^-k),  where  Oh  is  the  output  of  ANONYMiZE-B  for  member  h.  fails  if  and 
only  if  fails. 

In  addition,  we  view  as  exeeuting  the  deseriptor  and  blame  shuffles  by  ealling  as  a  subroutine 
the  ehallenger  C"^  as  defined  in  Seetion  5.5.1  for  use  in  Lemma  12.  C"^  uses  as  inputs  to  C"^  the 
same  K,  a,  (3,  and  r  that  itself  reeeived.  It  uses  ur^  as  the  round  nonee  input  for  the  deseriptor 
shuffle  (i.e.  Phase  3)  and  ur^  as  the  round  nonee  input  for  the  blame  shuffle  (i.e.  Phase  7).  The 
member  messages  and  fail  flags  are  determined  from  its  own  inputs  as  deseribed  in  the  bulk  protoeol 
deseription.  For  the  deseriptor  shuffle,  we  denote  by  and  nf^  the  ehallenge  messages,  by  w\ 
the  non-ehallenge  messages,  and  by  the  fail  flags.  For  the  blame  shuffle,  we  denote  by  mg^  and 
the  ehallenge  messages,  by  m|  the  non-ehallenge  messages,  and  by  /|  the  fail  flags.  We  denote 
by  . . . ,  the  output  of  the  deseriptor  shuffle  and  by  . . . , 

the  output  of  the  blame  shuffle.  fails  if  and  only  if  one  of  the  two  invoeations  of  fails. 

Let  M  be  the  transeript  of  all  messages  between  members  during  the  protoeol.  Let  be  the 
event  that  C'^  fails.  When  =  1,  O  and  M  are  defined  to  take  a  eonstant  failure  value.  The 
following  lemma  shows  that  ehanging  b  does  not  ehange  the  joint  distribution  of  M,  O,  and  F'^. 

Lemma  20. 

Pr[M  =  m  AO  =  o  A  F'’^  =  f\I  =  i  Ab  =  0]  =  Pr[M  =  m  AO  =  o  A  P'"^  =  f\I  =  i  Ab  =  1]. 

Proof.  To  prove  this,  we  traek  the  dependenee  on  b  of  messages  from  to  A,  internal  variables 
of  C"^,  and  outputs  of  C"^.  This  analysis  will  show  that  the  messages  and  outputs  of  C"^  follow  the 
same  distribution  regardless  of  b.  In  order  to  do  this  despite  the  dependenee  of  some  variables  on 
b,  we  will  eonsider  two  parallel  exeeutions  of  the  ehallenge  round,  one  in  whieh  6  =  0  and  one  in 
whieh  6  =  1.  The  messages,  variables,  and  outputs  that  do  not  depend  on  6  will  indeed  be  the  same 
in  the  two  exeeutions.  The  variables  that  do  depend  on  6  may  have  different  states  between  the  two 
exeeutions,  but  the  probability  of  those  paired  states  will  be  the  same. 

We  eonsider  these  exeeutions  step-by-step  as  follows: 

•  Phase  la: 

-  Eneryption  keys  {xh,  Vh)  are  generated  independently  of  6. 

-  The  message  Hhia  from  /i  G  77  is  independent  of  6  by  the  above. 

-  The  additional  inputs  to  A  sinee  his  last  output  are  messages  fihia,  h  £  H,  shown 
above  to  be  independent  of  6.  Thus  the  messages  Hna,  i  £  D,  reeeived  by  7  G  77  are 
independent  of  6. 

-  The  messages  fihia,  h  £  H,  reeeived  by  7'  G  77  are  shown  above  to  be  independent  of 
6. 


56 


•  Phase  lb: 


-  The  message  ///jife  =  {Kf^,nii,  from  h  ^  H  contain  keys  received  from 

other  members  and  thus  is  independent  of  b  by  the  above. 

-  The  additional  inputs  to  A  since  his  last  output  are  messages  fihib,  h  £  H,  shown 
above  to  be  independent  of  b.  Thus  the  messages  i  £  D,  received  by  h  £  H  are 
independent  of  b. 

-  The  messages  iThib,  h  £  H,  received  by  h'  £  H  are  shown  above  to  be  independent  of 
b. 

•  Phase  2:  We  consider  several  cases  for  how  challenge  members  form  descriptors.  These 
cases  depend  on  the  keys  that  honest  members  received  in  the  previous  phases,  and  thus  by 
the  above  the  applicable  case  does  not  depend  on  b. 

-  Case  1:  All  honest  members  received  valid  and  matching  keys  in  the  previous  phases.  In 
this  case,  the  descriptors  da  and  dp  do  depend  on  b,  and  so  we  compare  their  generation 
when  6  =  0  and  when  6=1.  We  observe  that  the  descriptor  for  the  challenge  member 
h  £  {a,  fi]  assigned  mo  is  created  the  same  regardless  of  whether  6,  is  a  or  /3.  A  seed 
is  chosen  uniformly  at  random  for  each  member  i,  it  is  encrypted  to  produce  Shi  using 
the  same  set  of  keys  (as  assumed  for  this  case),  and  the  randomness  of  the  encryption  is 
saved  as  Rhi-  Ciphertexts  Chi  are  produced  for  all  i  £  G\{a,  /?}  using  the  PRNG  with 
the  seed  generated  for  i.  The  ciphertext  Cha  is  chosen  randomly,  and  Chp  is  chosen 
such  that  the  XOR  of  all  ciphertexts  yields  mo.  The  descriptor  is  then  created  from  the 
encrypted  seeds,  hashes  of  the  ciphertexts,  and  the  length  of  mo.  To  emphasize  that 
the  creation  of  the  descriptor  depends  on  the  message  rather  than  its  owner,  we  use  the 
additional  notation  of  Smoi  for  the  seeds,  Rmoi  for  the  encryption  randomness,  Cmoi  for 
the  ciphertexts,  and  dmo  for  the  descriptor.  The  descriptor  for  the  challenge  member 
assigned  mi  is  similarly  generated,  and  we  use  similar  user-independent  notation  for  it 
and  its  components.  Thus,  for  specific  dmo  dmi,  the  probability  that  da  =  dmo 

dp  =  dmi  when  6  =  0  is  the  same  as  the  probability  that  da  =  dm^  and  dp  =  dmo  when 
6=1.  We  thus  let  the  former  occur  in  the  execution  under  consideration  for  6  =  0  and 
the  latter  occur  in  the  execution  for  6  =  1. 

-  Case  2:  Some  honest  member  h  received  an  invalid  key  or  non-matching  keys  in  the 
previous  rounds.  In  this  case,  will  use  =  TRUE  as  an  input  to  and  thus  cause 
the  shuffle  to  fail.  If  Z\  =  0,  the  challenger  has  guessed  wrong,  and  the  challenger  will 
fail.  Assuming  the  challenger  does  not  fail,  Z\  =  1,  and  so  the  descriptors  of  a  and  fi 
are  never  needed  (the  dummy  message  is  preserved  throughout  the  shuffle).  Thus  we 
assume  that  does  not  create  them  at  all. 

-  Member  h  £  H\{a^fi}  creates  her  descriptor  dh  in  a  way  that  only  depends  on  her 
input  message  and  the  keys  she  received  in  the  previous  rounds.  It  is  shown  above  that 
neither  of  these  depends  on  6,  and  so  her  descriptor  does  not  depend  on  6. 

•  Phase  3: 

-  Each  h  £  H  sets  the  fail  flag  for  the  shuffle  in  this  phase  based  on  keys  received  in 
previous  rounds,  and  thus  it  is  independent  of  6  by  the  above. 


57 


-  C"^  calls  C"^.  The  inputs  to  C"^  are  challenge  users  a  and  j3,  challenge  messages  tji'q  = 
dmo  and  =  dm^,  non-challenge  messages  m\  =  dh  for  h  G  H\{a,l3},  round 
number  signing  keys  K,  member  ordering  r,  fail  flags  /^,  and  challenge  bit  b.  As 
shown  above,  all  of  the  inputs  to  C"^  except  b  are  independent  of  b.  Thus  with  I  set  to 
all  those  inputs  except  b  we  can  apply  Lemma  12.  We  conclude  that  fails  in  this  step 
with  probability  independent  of  b,  that  the  messages  sent  are  independent  of  b,  and  that 
the  output  is  independent  of  b. 

-  The  message  fihs  =  {p'jnR,  3,h}siGu^  from  h  €  H  contains  evidence  of  invalid  or 
non-matching  keys  if  any  are  received.  Thus  it  depends  only  on  messages  received  in 
previous  rounds  and  is  independent  of  b  by  the  above. 

-  The  additional  inputs  to  A  since  his  last  output  are  messages  h  £  H,  shown  above 
to  be  independent  of  b.  Thus  the  messages  ^*3,  i  £  D,  received  by  h  £  H  are  indepen¬ 
dent  of  b. 

-  The  messages  (Ths,  h  £  H,  received  by  h'  £  H  are  shown  above  to  be  independent  of  b. 

•  Phase  4: 

-  For  each  member  h  £  H,  we  consider  two  cases  for  the  message  she  sends.  Which  case 
applies  depends  on  the  shuffle  output  O^.  is  shown  above  to  be  independent  of  b, 
and  so  the  relevant  case  is  independent  of  b. 

*  Case  1\  0\  =  (failure,  BLAME^^,^^^).  h  sends  message 

PhA  =  {false,  BLAME^\ ni{,  4,/i}siG„^,  which  is  independent  of  b  by  the 
above. 

*  Case  2  0\  =  (SUCCESS,  h  sends  message 

PhA  =  {TRUE,C;(^)^,...,C;(^)^,nij,4,/i}siGn^.  Fork  £  iF\{a, /?}, 
is  computed  from  the  descriptors  and  keys  received  in  earlier  rounds,  which  are 
shown  above  to  be  independent  of  b.  For  h  £  {a,  /?},  h  uses  as  its  ciphertext  the 
value  Cmoh  generated  in  Phase  2  for  descriptors  containing  the  encryption  of  a  seed 
matching  the  seed  that  is  encrypted  in  dmo  ■  ^  similarly  for  descriptors  with 
seeds  matching  the  one  in  dmi-  Otherwise,  h  computes  ciphertexts  from  the 

descriptors  and  keys  received  in  earlier  rounds.  Cmoh  and  Cmih  are  created  above 
independently  of  b,  and  the  previous  messages  received  by  h  are  shown  above  to  be 
independent  of  b.  Thus,  the  message  iJ,fiA  from  h  is  independent  of  b. 

-  The  additional  inputs  to  A  since  his  last  output  are  messages  h^a^  h  £  H,  shown  above 
to  be  independent  of  b.  Thus  the  messages  ;Uj4,  i  £  D,  received  by  h  £  H  are  indepen¬ 
dent  of  b. 

-  The  messages  //ft4,  h  £  H,  received  by  h'  £  H  are  shown  above  to  be  independent  of  b. 

•  Phase  5: 

-  The  message  =  {Vh,  ur,  5,  /ijsiGtj^  sent  by  h  £  H  depends  on  the  descriptors  di 
obtained  as  an  output  of  the  shuffle,  on  GO*  received  from  each  member  i,  and  on  the 
ciphertexts  CF  received  from  each  member  i.  These  messages  and  outputs  are  shown 
above  to  be  independent  of  b,  and  thus  is  independent  of  b  as  well. 


58 


-  The  additional  inputs  to  A  since  his  last  output  are  messages  h  G  H,  shown  above 
to  be  independent  of  b.  Thus  the  messages  ^*5,  i  ^  D,  received  by  /i  G  Tf  are  indepen¬ 
dent  of  b. 

-  The  messages  h  £  H,  received  by  h'  £  H  are  shown  above  to  be  independent  of  b. 

•  Phase  6:  Member  h  £  H  creates  message  m[  using  the  GOj  and  the  ciphertexts  C'^j  received 
from  each  member  j.  Each  of  these  is  shown  above  to  be  independent  of  b,  and  so  m'  is  also 
independent  of  b. 

•  Phase  7: 

-  Each  h  £  H  sets  the  fail  flag  /|  for  the  shuffle  in  this  phase  based  on  ciphertexts 
received  in  the  messages  /ij4  and  fXj^  from  every  j.  These  messages  are  shown  above  to 
be  independent  of  h,  and  thus  each  is  independent  of  b. 

-  C''^  calls  C'^.  The  inputs  to  from  C"^  are  challenge  users  a  and  f3,  challenge 
messages  m'^  and  (to  be  specified),  non-challenge  messages  m\  =  Ah  for  h  £ 
H\{a,  /?},  round  number  signing  keys  K,  member  ordering  r,  fail  flags  /|,  and 
challenge  bit  b.  We  observe  here  that  a,  f3,  K,  t,  and  the  /|  are  shown  above  to  be 
independent  of  b.  We  consider  two  separate  cases  for  the  blame  shuffle  in  order  to  show 
that  all  failures,  messages,  and  outputs  of  the  shuffle  are  independent  of  b.  Which  case 
applies  depends  only  on  the  /|  and  thus  is  independent  of  b. 

*  Case  1:  =  FALSE  for  all  h  £  H. 

It  is  shown  above  that  all  inputs  to  C"^  are  independent  of  b  except  m'^,  irC^, 
m\  =  Ah,  h  £  H\{a,  /?},  and  b  itself.  Each  accusation  Ah,  h  £  H\{a,  /?}, 
depends  on  the  descriptor  dh,  the  shuffle  output  0\  and  the  contents  of  the 
received  by  h  from  all  j.  These  are  shown  above  to  be  independent  of  b,  and  so  Ah 
is  independent  of  b  as  well. 

We  claim  that  the  accusation  A^^^  created  by  the  member  /iq  G  {a,  /?}  that  is 
assigned  mo  is  created  the  same  regardless  of  ho-  After  showing  this,  we  will  be 
able  to  apply  Eemma  12  to  prove  the  anonymity  of  the  shuffle.  Am^  depends  on 

dho- 

If  0\  =  (failure, BLAME^\ for  some  h  £  {a,/?},  then  neither  a  nor  /3 
creates  an  accusation,  and  Am^  =  regardless  of  ho- 

Now  suppose  that  Oj^  =  (SUCCESS,  for  all  h  £  {a,/?}.  We  observe  that, 

although  C"^  does  not  strictly  execute  ANONYMIZE-S,  after  Phase  3  of  the  shuffle 
that  challenger  does  simply  execute  ANONYMIZE- S  for  each  h  £  H,  assuming 
that  he  does  not  fail.  If  had  failed  during  the  descriptor  shuffle,  of  course,  we 
would  not  have  reached  this  phase,  and  therefore  we  can  assume  that  he  did  not. 
In  addition,  the  outcome  is  the  same  as  if  the  entire  GMP-SHUFFLE  had  been  run 
because  all  =  FALSE  by  assumption  and  the  parameters  K,  r,  and  n/jj  used  for 
ANONYMiZE-S  are  generated  by  SETUP-B  in  the  same  way  that  SETUP-S  generates 
them.  Thus,  we  observe  that  the  proof  of  Eemma  2  applies  to  the  descriptor  shuffle. 
We  are  therefore  guaranteed  that  the  outputs  (SUCCESS, h  £  {a,/?},  are 
identical.  We  can  then  assume  that  =  (SUCCESS,  M'^^)  =  O^. 

If  a  receives  a  with  GOj  =  FALSE,  then  fd  must  as  well.  Otherwise,  the  equivo¬ 
cation  would  have  been  discovered  and  the  shuffle  deliberately  failed  by  all  honest 


59 


members,  eontradieting  our  assumption  for  this  ease.  The  aeeusation  for  both  mem¬ 
bers  in  this  ease  is  empty,  and  so  we  ean  say  that  Am^  =  regardless  of  ho. 

If  a  and  /3  reeeive  GOj  =  TRUE  in  all  iXji,  then  any  ineorreet  eiphertexts  a  reeeives 
in  must  also  be  reeeived  by  (3.  Otherwise,  again,  all  honest  users  would  have 
notieed  the  equivoeation  and  eaused  the  blame  shuffle  to  fail,  eontradieting  the  ease 
assumption.  Thus,  beeause  a  and  /3  have  the  same  sequenee  of  deseriptors,  and 
beeause  equality  of  hashes  implies  equality  of  the  preimages  by  seeond-preimage 
resistanee,  we  ean  eonelude  that  a  and  /3  must  reeeive  all  the  same  As  stated 
above,  aeeusation  Amo  depends  only  on  dmo,  and  the  GOj  and  Cij  eontained 
in  eaeh  fij4  reeeived  by  Hq.  We  have  shown  that  in  this  ease  all  of  these  are  equal 
for  a  and  /3,  and  thus  A^q  is  indeed  ereated  the  same  regardless  of  /iq. 

The  above  arguments  apply  to  the  aeeusation  Ami  created  by  the  user  hi  G  {a,  /?} 
that  is  assigned  mi.  Therefore,  with  mg^  =  Amg,  rrfi  =  Ami,  ^  ’^he  set  of 
all  inputs  from  to  exeept  b,  we  ean  apply  Lemma  12.  We  eonelude  that 
fails  during  the  blame  shuffle  with  probability  independent  of  b,  that  the  messages 
sent  to  A  are  independent  of  b,  and  that  the  output  is  independent  of  b. 

*  Case  2:  /|  =  1  for  some  h  &  H. 

In  this  ease,  we  simply  view  as  ealling  C"^  with  A^  =  h  for  all  h  G  H.  Beeause 
the  shuffle  will  fail,  the  ehallenger  will  fail  if  is  set  to  0.  Otherwise,  =  1, 
and  the  shuffle  effeetively  uses  h  as  the  input  message  for  eaeh  /i  G  Tf.  In  this 
ease,  b  has  no  effeet  on  the  messages  of  eaeh  user  and  therefore  no  effeet  on  the 
shuffle.  Thus,  C"^  fails  during  the  blame  shuffle  with  probability  independent  of 
b,  the  messages  sent  to  A  during  the  shuffle  are  independent  of  b,  and  the  shuffle 
output  is  independent  of  b. 

The  message  =  {p',  tir,  7,  /i}siG„^  sent  by  h  £  H  depends  on  /|  and  the  messages 
and  pi4  reeeived  by  h.  These  are  shown  above  to  be  independent  of  b,  and  thus  phi 
is  independent  of  b  as  well. 

The  additional  inputs  to  A  sinee  his  last  output  are  messages  sent  during  the  blame 
shuffle  and  h  £  H,  all  of  whieh  are  shown  above  to  be  independent  of  b.  Thus  the 
messages  i  £  D,  reeeived  by  /i  G  Tf  are  independent  of  b. 

The  messages  phT,  h  £  H,  reeeived  by  h'  £  H  are  shown  above  to  be  independent  of  b. 
For  eaeh  h  £  H,  SUCCESS^  and  BLAME/j  are  set  differently  in  several  different  eases. 
Whieh  ease  applies  depends  on  and  whieh  are  shown  above  to  be  independent 
of  b.  Thus  whieh  ease  is  applied  is  also  independent  of  b.  For  eaeh  ease,  SUCCESS/j 
and  BLAME/i  depend  at  most  on  BLAME^^;  on  the  messages  pis,  pu,  and  sent  and 
reeeived  by  /i;  on  the  blame-shuffle  output  and  on  the  deseriptor-shuffle  output  O^. 
These  are  all  shown  above  to  be  independent  of  b,  and  thus  SUCCESS/i  and  BLAME/j  are 
independent  of  b  as  well. 

Output  messages  M^,  h  £  H,  aie  ereated  depending  on  SUCCESS/^  and  the  messages 
PiA  sent  and  reeeived  by  h.  These  are  shown  above  to  be  independent  of  b,  and  thus 
is  independent  of  b  as  well. 

Log  ih,  h  £  H,  depends  on  SUCCESS/i,  the  output  of  SETUP-B,  all  messages  sent  and 
reeeived  by  h,  and  the  shuffle  outputs  0\  and  0\.  These  are  all  shown  above  to  be 
independent  of  b,  and  thus  is  independent  of  b  as  well. 


60 


-  The  output  Oh  of  gmp-bulk,  h  g  H,  depends  on  SUCCESS/J,  M'^,  blame/j,  and 
These  are  shown  above  to  be  independent  of  b,  and  thus  Oh  is  independent  of  b  as  well. 

We  have  thus  shown  that,  given  input  I  =  i,  for  every  exeeution  of  C"^  when  6  =  0  there  is  an 
execution  when  6  =  1  that  occurs  with  the  same  probability  and  for  which  (/)  is  the  same,  (//) 
M  is  the  same,  and  {in)  O  is  the  same.  □ 


Lemma  21.  A(G’^)  =  0. 

Proof.  To  prove  this,  we  show  that  the  steps  of  the  anonymity  game  surrounding  the  challenge  run 
are  independent  of  6  and  use  the  previous  lemma  for  the  challenge  run  itself. 

1.  In  Step  1,  pre-challenge  rounds  of  the  bulk  protocol  are  executed,  which  do  not  depend  on  6. 

2.  In  Step  2,  A  sends  the  challenge  participants  a  and  /?,  the  challenge  messages  ttiq  and 
mf ,  and  the  non-challenge  messages  nih,  h  G  H\{a,  /?},  which  must  be  independent  of  6 
because  all  previous  inputs  to  A  were  shown  above  to  be  independent  of  6. 

3.  Step  3  of  the  anonymity  game  is  for  the  challenger  to  assign  the  messages  of  the  challenge 
users  according  to  6.  However,  we  leave  these  variables  undefined,  as  we  have  modified  the 
challenger  to  create  Game  7  such  that  they  are  not  necessary. 

4.  The  challenge  run  is  executed  during  Step  4.  We  observe  that  first  executes  SETUP-B. 
This  protocol  takes  only  the  long-term  signing  keys  as  input,  and  therefore  its  output 

{nR,  ur.^  ,  ur^  ,  K,  t)  is  independent  of  6.  Next  calls  C'^  with  inputs  6  and 
I  =  {nR,nR^,nR^,K,T,a,j3,ml,m\,{mh}h&H\{a,l3})-  /  has  been  shown  to  be  indepen¬ 
dent  of  6.  Therefore,  by  applying  Lemma  20,  we  can  conclude  that  fails  independently  of 
6,  and  if  it  does  not  fail  any  messages  M  to  A  and  outputs  O  are  also  independent  of  6. 

5.  In  Step  5,  the  challenger  executes  further  rounds  of  the  protocol.  The  adversary’s  inputs  up  to 
this  point  have  been  shown  to  be  independent  of  6,  and  thus  these  executions  do  not  depend 
on  6. 


6.  In  Step  6,  A  outputs  guess  6.  All  inputs  to  the  adversary  have  been  shown  to  be  independent 
of  6,  and  thus  6  is  independent  of  6. 

The  game  output  G^(6)  only  depends  on  and  6.  These  have  both  been  shown  to  be  independent 
of  6,  and  therefore 

Fr[G^(l)  =  1]  =  Fr[G^(0)  =  1]. 


□ 


Taken  together,  the  preceding  lemmas  show  that  the  adversary  has  a  negligible  advantage  in  the 
anonymity  game: 

Theorem  6.  The  GMP-BULK  protocol  maintains  anonymity  with  k  colluding  members  for  any  0  < 
k<N  -2. 

Proof  Let  A  be  a  probabilistic  polynomial-time  adversary.  We  denote  the  change  in  advantage 
between  games  i  and  j  as  eij  =  |  A(G-^)  —  A(G*)|  .  Using  Lemmas  14  and  16,  the  advantage  of 
A  in  the  anonymity  game  with  GMP-BULK  is  at  most  2  (eo2  +  2  (ess  +  ^56  +  £67  +  A(G^)))  .  By 
Lemma  21  this  is  2eo2  +  dess  +  4es6  +  degr.  This  quantity  is  negligible  by  Lemmas  15,  17,  18,  and 
19.  □ 


61 


6  Related  Work 


dissent’s  shuffle  protocol  builds  directly  on  an  anonymous  data  collection  protocol  by  Brick- 
ell  and  Shmatikov  (Brickell  and  Shmatikov  2006b),  adding  DoS  resistance  via  new  go/no-go  and 
blame  phases,  dissent’s  bulk  protocol  is  similarly  inspired  by  DC-nets  (Chaum  1988),  which 
are  computationally  efficient  and  provide  unconditional  anonymity.  DC-nets  ttaditionally  require 
nondeterministic  “reservation”  schemes  to  allocate  the  anonymous  channel’s  communication  band¬ 
width,  however,  and  are  difficult  to  protect  against  anonymous  DoS  attacks  by  malicious  group 
members.  Strategies  exist  to  strengthen  DC-nets  against  DoS  attacks  (Waidner  and  Pfitzmann  1989; 
Golle  and  duels  2004),  or  to  form  new  groups  when  an  attack  is  detected  (Sirer  et  al.  2004).  dis¬ 
sent’s  use  of  a  shuffle  protocol  to  set  up  a  deterministic  DC-nets  instance,  however,  cleanly  avoids 
these  DoS  vulnerabilities  while  providing  the  additional  guarantee  that  each  member  sends  exactly 
one  message  per  protocol  run,  a  useful  property  for  holding  votes  or  assigning  1-to-l  pseudonyms. 

Mix  networks  (Chaum  1981)  offer  high-latency  but  practical  anonymous  communication,  and 
can  be  adapted  to  group  broadcast  (Perng,  Reiter,  and  Wang  2006).  Unfortunately,  for  many  mix- 
network  designs,  anonymity  is  vulnerable  to  traffic  analysis  (Serjantov,  Dingledine,  and  Sy ver¬ 
son  2003)  and  performance  is  vulnerable  to  DoS  attacks  (Dingledine  and  Sy  verson  2002;  Iwanik, 
Klonowski,  and  Kutylowski  2004).  Cryptographically-verifiable  mixes  (Neff  2001;  Furukawa  and 
Sako  2001;  Adida  2006)  are  a  possible  solution  to  DoS  attacks  and  a  potential  replacement  for  our 
shuffle  protocol.  These  algorithms  require  exotic  and  complex  cryptography,  however,  bringing 
efficiency  costs  and  implementation  and  verification  challenges. 

Low-latency  designs  can  provide  fast  and  efficient  communication  supporting  a  wide  variety  of 
applications,  but  they  typically  provide  much  weaker  anonymity  than  DISSENT.  For  example,  onion 
routing  (Goldschlag,  Reed,  and  Syverson  1999;  Dingledine,  Mathewson,  and  Syverson  2004),  a 
well-known  and  practical  approach  to  general  anonymous  communication  on  the  Internet,  is  vul¬ 
nerable  to  traffic  analysis  by  adversaries  who  can  observe  streams  going  into  and  out  of  the  net¬ 
work  (Syverson,  Tsudik,  Reed,  and  Landwehr  2000).  Similarly,  Crowds  (Reiter  and  Rubin  1999) 
is  vulnerable  to  statistical  traffic  analysis  when  an  attacker  can  monitor  many  points  across  the  net¬ 
work.  Herbivore  (Goel,  Robson,  Polte,  and  Sirer  2003)  provides  unconditional  anonymity,  but  only 
within  a  small  subgroup  of  the  total  group  of  participants,  fc-anonymous  transmission  protocols 
(von  Ahn,  Bortz,  and  Hopper  2003)  provide  anonymity  only  when  most  members  of  a  group  are 
honest. 

We  thus  observe  a  tradeoff  between  security,  efficiency,  and  possible  applications.  Furthermore, 
many  cryptographic  attacks  have  been  discovered  against  specific  anonymity  protocols.  These  pro¬ 
tocols  are  often  complex  and  contain  subtle  flaws  in  design,  security  proofs,  or  security  definitions. 

For  example,  many  attacks  have  been  identified  against  mix-network  schemes,  some  against 
schemes  that  offered  proofs  of  security.  A  simple  yet  powerful  attack  against  one  scheme  (Park, 
Itoh,  and  Kurosawa  1994)  trivially  breaks  an  honest  member’s  anonymity  if  an  attacker  can  create 
a  ciphertext  related  to  that  member’s  ciphertext  (Pfitzmann  1994;  Pfitzmann  and  Pfizmann  1990). 
An  attack  on  the  integrity  of  a  scheme  claimed  to  be  probably  secure  (Jakobsson  1998)  was  given 
by  Mitomo  and  Kurosawa  (2000).  A  corrupted  mix  server  can  alter  intermediate  ciphertexts,  affect¬ 
ing  the  corresponding  output  messages,  without  being  detected.  Several  attacks  on  the  anonymity 
and  robustness  of  another  scheme  (Golle,  Zhong,  Boneh,  Jakobsson,  and  duels  2002)  claimed  se¬ 
cure  were  presented  by  Wikstrom  (2003).  These  attacks  exploited  previously  identified  (Pfitzmann 
1994;  Pfitzmann  and  Pfizmann  1990;  Desmedt  and  Kurosawa  2000)  general  design  flaws  as  well 


62 


as  the  ability  of  mix  servers  to  use  ineorreet  and  speeially-prepared  inputs.  Abe  and  Imai  (2003) 
deseribed  two  anonymity  attaeks  on  mix-net  designs  (Jakobsson  and  fuels  2001;  Golle,  Zhong, 
Boneh,  Jakobsson,  and  fuels  2002),  possible  when  members  eollude  with  a  server  and  even  with 
eompletely-honest  mix  servers.  Later,  the  authors  pointed  out  (Abe  and  Imai  2006)  that  some  flaws 
are  related  to  weak  seeurity  definitions.  Even  newly  proposed  sehemes  still  sueeumb  to  previous 
attaeks.  A  reeent  work  of  Khazaei,  Terelius,  and  Wikstrdm  (2012)  points  out  flaws  in  the  design  of 
Allepuz  and  Gastello  (2010)  that  faeilitate  attaeks  against  anonymity  and  integrity,  some  of  whieh 
are  based  on  previously-deseribed  attaeks  (Pfitzmann  1994). 

These  attaeks  show  that  obtaining  a  provably  seeure  anonymous  eommunieation  protoeol  is  a 
surprisingly  eomplex  task.  It  requires  a  eonsiderable  amount  of  effort  and  eareful  attention  to  every 
design  detail  of  a  protoeol.  Indeed,  only  relatively  reeently  has  a  framework  for  rigorous  seeurity 
proofs  been  available  for  mix  networks  (Wikstrom  2004). 

7  Conclusion  and  Future  Work 

DISSENT  is  a  novel,  provably  seeure  protoeol  for  anonymous  and  aeeountable  group  eommuniea¬ 
tion.  DISSENT  allows  a  well-defined  group  of  partieipants  to  exehange  variable-length  messages 
anonymously,  while  resisting  the  traffie  analysis  and  anonymous  DoS  attaeks  effeetive  against  mix- 
networks,  DC-nets,  and  onion  routing.  DISSENT  improves  upon  previous  shuffled-send  primitives 
by  adding  aeeountability — the  ability  to  traee  misbehaving  nodes — and  by  eliminating  the  message 
padding  requirements  of  earlier  sehemes.  DISSENT  guarantees  anonymity,  integrity,  and  aeeount¬ 
ability,  and  has  been  shown  praetieal  for  anonymous  eommunieation  within  moderate-size  groups. 

We  have  presented  an  improved  version  of  this  protoeol  that  fixes  several  flaws  in  the  original 
design.  We  have  preeisely  defined  its  seeurity  properties  and  provided  detailed  seeurity  proofs. 

Future  work  ineludes  exploring  ways  to  aehieve  sealability  in  order  to  accommodate  large 
groups,  as  well  as  interactivity  to  make  DISSENT  suitable  for  latency-sensitive  applications. 

APPENDIX 

Here  we  describe  in  more  detail  some  of  the  security  flaws  discovered  in  the  DISSENT  protocol 
of  Corrigan-Gibbs  and  Ford  (2010).  Flaws  were  discovered  affecting  each  of  the  desired  security 
criteria:  integrity,  anonymity,  and  accountability.  We  also  briefly  mention  the  technique  we  adopted 
to  fix  each  problem.  By  following  a  rigorous  proof  methodology  for  the  improved  protocol,  we  can 
have  high  confidence  that  these  fixes  have  not  not  introduced  problems  of  their  own.  Note  that  the 
terminology  and  notation  used  here  is  that  of  Corrigan-Gibbs  and  Ford  (2010). 

Anonymity 

•  Ciphertext  replay  attack  in  shuffle 

Flaw:  The  adversary  can  replay  a  ciphertext  Q  of  some  user  i  from  an  earlier  run  of  the 
shuffle  by  submitting  Ci  as  his  own  ciphertext.  Then  the  adversary  looks  for  the  “inner” 
ciphertext  C'  that  appeared  at  the  end  of  the  anonymization  phase  (Phase  3)  in  both  this  run 
and  the  earlier  run.  The  adversary  can  conclude  that  the  message  contained  in  that  inner 
ciphertext,  which  was  successfully  decrypted  in  the  earlier  run,  were  sent  by  i. 


63 


Fix:  New  “outer”  eneryption  keys  are  generated  in  eaeh  run  of  the  shuffle. 

•  Message  deseriptor  replay  attaek  in  the  bulk  protoeol 

Flaw:  The  adversary  ean  replay  the  message  deseriptor  di  of  some  user  i  reeeived  in  an  earlier 
run  of  the  bulk  protoeol  by  submitting  it  as  his  own  deseriptor.  di  eontains  an  enerypted 
seed  for  i  that  does  not  generate  a  eiphertext  with  a  hash  matehing  the  ineluded  hash.  In  the 
previous  run,  user  i  was  looking  for  a  slot  with  deseriptor  matehing  di  and  used  a  preeomputed 
eiphertext  for  it  instead  of  using  the  ineluded  seed.  In  this  run,  i  is  not  looking  for  it,  and 
because  the  hash  of  the  ciphertext  won’t  match  the  one  included  in  di,  i  will  send  an  empty 
ciphertext.  This  identifies  i  as  the  owner  of  the  message  revealed  during  the  slot  containing 
di  in  the  previous  run. 

Fix:  New  encryption  keys  for  the  seeds  in  the  message  descriptors  are  generated  in  each  run 
of  the  bulk  protocol. 

•  Ciphertext  equivocation  attack  in  the  bulk  protocol 

Flaw:  The  adversary  can  target  user  i  as  the  suspected  owner  of  a  slot  7r(j)  by  sending  an 
incorrect  ciphertext  Cjk  to  i  in  Phase  3  and  sending  correct  ciphertexts  to  all  other  members. 
Then  if  a  valid  accusation  comes  out  of  the  blame  phase  (Phase  5),  i  must  be  the  owner  of  the 
slot,  that  is,  i  =  j. 

Fix:  Rebroadcast  the  ciphertexts  before  the  blame  shuffle,  and  then  have  users  that  observe 
ciphertext  equivocation  “break”  the  blame  shuffle  and  then  send  evidence  of  equivocation  to 
exonerate  themselves  and  expose  the  equivocation  member. 

•  Adversary  copies  encrypted  seeds  during  the  bulk  protocol 

Flaw:  An  adversary  in  the  last  position  of  the  shuffle  can  copy  the  ciphertext  containing  a 
message  descriptor  into  his  own  slot.  An  honest  member  only  looks  for  one  message  descrip¬ 
tor  matching  her  own,  and  therefore  the  owner  of  the  copied  descriptor  will  use  the  encrypted 
seed  in  the  second  slot  containing  her  descriptor,  the  ciphertext  won’t  match  the  hash,  and  so 
she  will  send  an  empty  ciphertext.  This  identifies  herself  as  the  owner  of  the  slot  containing 
the  first  copy  of  the  descriptor,  which  does  have  its  message  revealed. 

Relatedly,  it  appears  technically  possible  for  an  adversary  to  create  a  wholly  new  descriptor 
that  contains  the  encrypted  seed  that  a  slot  owner  creates  for  herself  in  her  own  descriptor. 
IND-CCA2  doesn’t  appear  to  have  a  type  of  non-malleability  that  would  prevent  this  kind 
of  copying.  Thus  simply  looking  for  all  copies  of  a  member’s  descriptor  isn’t  enough,  as 
the  adversary  could  potentially  target  a  member  by  copying  out  her  encrypted  seed  from 
her  encrypted  message  descriptor  into  a  totally  different  descriptor.  The  member  who  uses 
different  ciphertexts  for  the  same  seeds  is  the  owner  of  the  (original  non-modified)  descriptors. 

Fix:  Have  members  look  for  all  copies  of  their  encrypted  seed,  and  use  the  same  precomputed 
ciphertext  in  each  of  those  slots. 

Accountability 

•  Ciphertext  duplication  attack  in  the  shuffle 


64 


Flaw:  An  adversary  in  the  first  position  of  shuffle  can  use  as  his  own  ciphertext  submission 
the  ciphertext  that  an  honest  member  submits  into  the  shuffle.  The  shuffle  fails  when  dupli¬ 
cate  ciphertexts  are  observed,  and  both  the  honest  and  dishonest  members  are  exposed.  This 
violates  accountability,  which  prohibits  exposing  honest  members. 

Fix:  Members  must  first  commit  publicly  to  their  ciphertext  submission  using  non-malleable 
commitments  and  including  their  identity  (e.g.  their  shuffle  position)  in  the  commitment. 

•  Equivocation  in  proceeding  to  blame  in  the  shuffle 

Flaw:  If  all  GO*  =  true  in  the  verification  phase  (Phase  4),  but  dishonest  j  pretends  to 
honest  k  that  j  received  GOj  =  FALSE  from  i  by  only  sending  blame  data  in  the  last  phase 
(i.e.  executing  Phase  5b),  while  sending  his  private  key  Wj  to  all  other  members  (i.e.  executing 
Phase  5a  with  respect  to  them),  then  it  is  not  clear  if  liveness  assumption  implies  that  k  can 
eventually  get  enough  blame  data  from  the  other  members  (who  see  everything  go  correctly, 
proceed  to  Phase  5a,  and  finish  the  protocol)  to  expose  a  faulty  member. 

Fix:  The  key  release  and  blame  phases  (Phase  5a  and  5b)  are  now  unconditionally  run  in 
sequence.  A  member  must  justify  in  the  blame  phase  not  sending  out  aprivate  key  in  the 
key-release  phase  with  enough  evidence  to  expose  another  member. 

Integrity 

•  Ciphertext  equivocation  attack  in  the  bulk  protocol 

Flaw:  The  adversary  can  send  a  bad  ciphertext  to  just  one  member,  who,  if  not  the  owner, 
will  never  receive  a  valid  accusation  and  so  will  complete  successfully  without  all  honest 
members’  messages. 

Fix:  As  described  earlier  as  the  fix  to  an  anonymity  attack,  we  rebroadcast  the  ciphertexts 
before  the  blame  shuffle,  and  then  we  have  users  that  observe  ciphertext  equivocation  “break” 
the  blame  shuffle  and  then  send  evidence  of  equivocation  to  exonerate  themselves  and  expose 
the  equivocating  member. 


References 

Abe,  M.  and  H.  Imai  (2003).  Flaws  in  some  robust  optimistic  mix-nets.  In  AC/S'P. 

Abe,  M.  and  H.  Imai  (2006).  Flaws  in  robust  optimistic  mix-nets  and  stronger  security  notions. 
lEICE  Trans.  Eundam.  Electron.  Commun.  Comput.  Sci. . 

Adida,  B.  (2006).  Advances  in  cryptographic  voting  systems.  Ph.  D.  thesis,  Cambridge,  MA, 
USA. 

Allepuz,  J.  P.  and  S.  G.  Castello  (2010).  Universally  verifiable  efficient  re-encryption  mixnet.  In 
Electronic  Voting.  GI. 

Bellare,  M.,  A.  Desai,  D.  Pointcheval,  and  P.  Rogaway  (1998).  Relations  among  notions  of  secu¬ 
rity  for  public-key  encryption  schemes.  Advances  in  Cryptology  — CRYPTO  ’98. 

Brickell,  J.  and  V.  Shmatikov  (2006a).  Efficient  anonymity-preserving  data  collection.  In  Pro¬ 
ceedings  of  the  12th  ACM  SIGKDD  International  Conference  on  Knowledge  Discovery  and 
Data  Mining. 


65 


Brickell,  J.  and  V.  Shmatikov  (2006b).  Efficient  anonymity-preserving  data  collection. 

Castro,  M.  and  B.  Liskov  (1999,  February).  Practical  byzantine  fault  tolerance.  In  OSDI. 

Chaum,  D.  (1981,  February).  Untraceable  electronic  mail,  return  addresses,  and  digital 
pseudonyms.  Communications  of  the  ACM. 

Chaum,  D.  (1988,  January).  The  dining  cryptographers  problem:  Unconditional  sender  and  re¬ 
cipient  untraceability.  Journal  of  Cryptology. 

Clarke,  I.,  O.  Sandberg,  B.  Wiley,  and  T.  W.  Hong  (2000,  July).  Freenet:  A  distributed  anony¬ 
mous  information  storage  and  retrieval  system.  In  Workshop  on  Design  Issues  in  Anonymity 
and  Unobservability. 

Corrigan-Gibbs,  H.  and  B.  Ford  (2010).  Dissent:  Accountable  anonymous  group  messaging.  In 
Proceedings  of  the  1 7th  ACM  Conference  on  Computer  and  Communications  Security. 

Davenport,  D.  (2002,  April).  Anonymity  on  the  Internet:  why  the  price  may  be  too  high.  Com¬ 
munications  of  the  ACM  45(4),  33-35. 

Desmedt,  Y.  and  K.  Kurosawa  (2000).  How  to  break  a  practical  mix  and  design  a  new  one.  In 
EUROCRYPT. 

Dingledine,  R.,  N.  Mathewson,  and  P.  Syverson  (2004).  Tor:  the  second-generation  onion  router. 
In  SSYM’04:  Proceedings  of  the  13th  conference  on  USENIX  Security  Symposium. 

Dingledine,  R.  and  P.  Syverson  (2002,  March).  Reliable  MIX  cascade  networks  through  reputa¬ 
tion.  In  Einancial  Cryptography. 

Dolev,  D.,  C.  Dwork,  and  M.  Naor  (2000).  Nonmalleable  cryptography.  SIAM  J.  Comput.. 

Douceur,  J.  R.  (2002,  March).  The  Sybil  attack.  In  1st  International  Workshop  on  Peer-to-Peer 
Systems. 

Furukawa,  J.  and  K.  Sako  (2001,  August).  An  efficient  scheme  for  proving  a  shuffle.  In  CRYPTO. 

Goel,  S.,  M.  Robson,  M.  Polte,  and  E.  G.  Sirer  (2003,  February).  Herbivore:  A  Scalable  and 
Efficient  Protocol  for  Anonymous  Communication.  Technical  Report  2003-1890,  Cornell 
University. 

Goldschlag,  D.,  M.  Reed,  and  P.  Syverson  (1999,  February).  Onion  routing  for  anonymous  and 
private  internet  connections.  Communications  of  the  ACM  42(2),  39^1. 

Goldwasser,  S.,  S.  Micali,  and  R.  F.  Rivest  (1995).  A  digital  signature  scheme  secure  against 
adaptive  chosen-message  attacks. 

Golle,  P.  and  A.  fuels  (2004,  May).  Dining  cryptographers  revisited.  Eurocrypt. 

Golle,  P,  S.  Zhong,  D.  Boneh,  M.  Jakobsson,  and  A.  fuels  (2002).  Optimistic  mixing  for  exit- 
polls.  \nAsiacrypt  2002,  LNCS  2501. 

Haeberlen,  A.,  P.  Kouznetsov,  and  P.  Druschel  (2007,  October).  PeerReview:  Practical  account¬ 
ability  for  distributed  systems.  In  2Ist  SOSP. 

Iwanik,  J.,  M.  Klonowski,  and  M.  Kutylowski  (2004,  September).  DUO-Onions  and  Hydra- 
Onions  —  failure  and  adversary  resistant  onion  protocols.  In  lEIP  CMS. 

Jakobsson,  M.  (1998).  Flash  mixing.  EUROCRYPT. 


66 


Jakobsson,  M.  and  A.  duels  (2001).  An  optimally  robust  hybrid  mix  network.  In  In  Principles  of 
Distributed  Computing  -  PODC  01 . 

Khazaei,  S.,  B.  Terelius,  and  D.  Wikstrbm  (2012).  Cryptanalysis  of  a  universally  verifiable 
efficient  re-encryption  mixnet.  In  International  conference  on  Electronic  Voting  Technol¬ 
ogy/Workshop  on  Trustworthy  Elections. 

Lamport,  L.  (1998).  The  part-time  parliament.  TOCS. 

Mitomo,  M.  and  K.  Kurosawa  (2000).  Attack  for  flash  MIX.  In  In  Advances  in  Cryptology  - 
ASIACRYPT  2000,  LNCS,  pp.  192-204.  Springer- Verlag. 

Neff,  C.  A.  (2001,  November).  A  verifiable  secref  shuffle  and  ifs  applicafion  fo  e-vofing.  In  ACM 
CCS. 

Park,  C.,  K.  Ifoh,  and  K.  Kurosawa  (1994).  Efficienl  anonymous  channel  and  all/nofhing  election 
scheme.  In  EUROCRYPT. 

Perng,  G.,  M.  Reifer,  and  C.  Wang  (2006).  M2:  Mulficasling  mixes  for  efficienl  and  anonymous 
communication.  In  26th  ICDCS,  pp.  59-59. 

Pfilzmann,  B.  (1994).  Breaking  an  efficienl  anonymous  channel.  In  EUROCRYPT. 

Pfilzmann,  B.  and  A.  Pfizmann  (1990).  How  lo  break  Ihe  direcl  RSA-implemenlafion  of  mixes. 
In  EUROCRYPT. 

Reifer,  M.  K.  and  A.  D.  Rubin  (1999).  Anonymous  web  Iransaclions  wilh  crowds.  Communica¬ 
tions  of  the  ACM  42(2),  32^8. 

Rogaway,  P.  and  T.  Shrimplon  (2004).  Cryplographic  hash-funclion  basics:  Definitions,  impli- 
calions,  and  separalions  for  preimage  resislance,  second-preimage  resisfance,  and  collision 
resislance.  In  Past  Software  Encryption  -  PSE’04. 

Serjanlov,  A.,  R.  Dingledine,  and  P.  Syverson  (2003).  From  a  Irickle  lo  a  flood:  Aclive  alfacks 
on  several  mix  lypes.  Information  Hiding. 

Sirer,  E.  G.  el  al.  (2004,  Seplember).  Eluding  carnivores:  File  sharing  wilh  slrong  anonymily.  In 
ACMSIGOPS  EW. 

Slein,  E.  (2003).  Queers  anonymous:  Eesbians,  gay  men,  free  speech,  and  cyberspace.  Harvard 
Civil  Rights-Civil  Liberties  Law  Review. 

Stinson,  D.  R.  (2005).  Cryptography:  Theory  and  Practice,  Third  Edition  (Discrete  Mathematics 
and  Its  Applications).  Chapman  &  Hall/CRC. 

Slone,  B.  and  M.  Richlel  (2007).  The  hand  lhal  conlrols  Ihe  sock  puppel  could  gel  slapped.  New 
York  Times. 

Syverson,  P,  G.  Tsudik,  M.  Reed,  and  C.  Eandwehr  (2000,  July).  Towards  an  Analysis  of  Onion 
Routing  Securily.  In  Design  Issues  in  Anonymity  and  Unobservability. 

Teich,  A.,  M.  S.  Frankel,  R.  Kling,  and  Y.  Fee  (1999,  May).  Anonymous  communication  policies 
for  Ihe  Infernel:  Resulls  and  recommendations  of  Ihe  AAAS  conference.  Information  Society. 

von  Ahn,  E.,  A.  Borfz,  and  N.  J.  Hopper  (2003).  k-anonymous  message  transmission.  In  lOth 
CCS. 


67 


Waidner,  M.  and  B.  Pfitzmann  (1989,  April).  The  dining  cryptographers  in  the  disco:  Uncon¬ 
ditional  sender  and  recipient  untraceability  with  computationally  secure  serviceability.  In 
Eurocrypt. 

Wallace,  J.  D.  (1999,  December).  Nameless  in  cyberspace:  Anonymity  on  the  internet.  Cato 
Briefing  Paper  No.  54. 

Wikstrdm,  D.  (2003).  Five  practical  attacks  for  ’’optimistic  mixing  for  exit-polls”.  In  Selected 
Areas  in  Cryptography. 

Wikstrdm,  D.  (2004).  A  universally  composable  mix-net.  In  TCC. 

Yale  Law  Journal  (1961,  June).  The  constitutional  right  to  anonymity:  Free  speech,  disclosure 
and  the  devil.  Yale  Law  Journal  70{1),  1084-1128. 


68 


